Are Irish businesses targeting each other with cyber crime?
From florists to poker sites, when your site goes down it might not be a random hacker
Company victims of a DDoS attack think a competitor was more likely to have been the perpetrator than a standard cyber criminal. Photograph: Getty Images
Unless you spend a lot of time playing poker on your computer, you have probably never heard of Phil Nagy. But Mr Nagy, who runs an outfit called the Winning Poker Network, has just done something that might interest a lot of better-known, and less colourful, executives.
A few weeks ago, just as his network was holding a big tournament series, it was hit by a powerful cyber attack that forced Mr Nagy to scrap or postpone some events. This was not a step he took lightly. As he explained in a rueful video message to customers about the “crap” incident, some players could be so upset that the next time they saw him, they might “kick me in the nuts”.
What he said in the rest of the video was more jolting. While the poker network was under assault, he explained, the attacker had made contact on the site’s live chat section, where someone had asked: “Why don’t you just go get a job?”
“I have a job,” the attacker replied. “Another site pays me to attack you.”
Mr Nagy admitted it was hard to know if this was true, but he was looking at offering a “really big” reward to anyone with proof about who had ordered the attacks.
It would be one thing if this were a one-off incident that only affected poker sites and other sites you might not admit to visiting in a job interview, but it is not, say those at the front line of the cyber security industry, and the companies affected.
Mr Nagy’s assailant used a ploy known as a “distributed denial of service”, or DDoS attack, where websites are bombarded by a crippling barrage of fake traffic.
There is nothing new about DDoS attacks. They have been blamed for derailing the sites of everything from global banking groups to government ministries for years. Culprits are typically described as cyber criminals out for political gain or a chunky ransom in return for ending the attack. But businesses now have another suspect: each other.
Company victims of a DDoS attack think a competitor was more likely to have been the perpetrator than a standard cyber criminal, a survey of more than 4,000 company representatives in 25 countries revealed this year.
Just 38 per cent of the victims pointed to criminals, compared with 43 per cent who fingered rivals, the poll by the cyber security firm Kaspersky Lab found. One reason: launching a DDoS attack has never been so easy or cheap.
“The game has changed now,” Raj Samani, chief scientist at McAfee, told a Wired magazine conference in London last week. “The ability to go out and disrupt your competition can be done for less than the price of a cup of coffee.”
Mr Samani said gaming sites were not the only victims. He showed a screen shot, taken about 12 months ago, of a chat forum where a ransomware attacker claimed to have been hired by an unnamed Fortune 500 company “to cyber disrupt day-to-day business of their competition”.
Another speaker, John Graham-Cumming, said rival florists had DDoS-ed each other on Valentine’s Day.
Mr Graham-Cumming, chief technology officer at the Cloudflare web security group, told me later that this showed how vulnerable companies can be, especially if they do a lot of business at certain times of the year. Cloudflare says a new DDoS attack is launched every three minutes against one of its six million customers.
It is tempting to think that cyber security companies would say this. Yet they are not the only ones insisting businesses need to take cyber attacks more seriously.
The level of under-reporting is “alarming”, says Paul Hoare, a senior manager at the UK’s national cyber crime unit. Authorities received just 178 reports of a DDoS attack in the three months between May and June this year. Mr Hoare says that looks like “snowflakes on the tip of the iceberg” considering the scale of the problem, and makes it much harder to catch or deter perpetrators.
The reluctance of companies to admit vulnerability is understandable. The robustly open approach of the Winning Poker Network may not be for all. But if companies continue to be guarded about the extent of this problem, they should not be surprised if it continues to grow. – Copyright The Financial Times Limited 2017