Internet Extortion and Information Security

Mathieu Deflem
www.mathieudeflem.net
&
Brian Hudak

This is an online copy of a chapter published in Organized Crime: From Trafficking to Terrorism, edited by Frank G. Shanty, pp. 289-292. Santa Barbara, CA: ABC-CLIO, 2008. Also available in print-friendly pdf format.

Cite as: Deflem, Mathieu and Brian Hudak. 2008. "Internet Extortion and Information Security." Pp. 289-292 in Organized Crime: From Trafficking to Terrorism, edited by Frank G. Shanty. Santa Barbara, CA: ABC-CLIO.



In the current age of computers and the internet, crimes can also take on forms that are digital in kind. Cybercrimes include attacks on computer security threatening the confidentiality, integrity, or availability of digital data, or they involve the execution of traditional offenses, such as theft and fraud, by means of computers and computerized networks (Deflem and Shutt forth.; Grabosky and Smith 2001). Among the latter kind of cybercrime is internet extortion (also referred to as digital extortion or cyber extortion). Extortion refers to the making of a particular demand on a person under threat of causing harm (Bednarski 2004; Grabosky, Smith and Dempsey 2001). The object of the extortion demand is often of a monetary nature but can also include non-financial considerations, such as sexual favors or discretionary actions. Extortion activities are typically directed at wealthy individuals or at organizations that have considerable assets. Most nations across the world have laws against extortion, with punishments varying with the degree of seriousness of the circumstances of the offense.

Types of Internet Extortion

At least five types of internet extortion can be identified (Bednarski 2004; Grabosky, Smith and Dempsey 2001). First, an information system or digital technology, such as the internet or a computer network, can be used as a medium of extortion. For example, in the mid-1990s, a case was exposed whereby a man visited an online chatroom posing as a woman to engage in sexual banter with other visitors. The man would then also pose as the woman’s husband and threaten the other visitors with bodily harm should they not pay a certain amount of money. Because the extortionist did not hide his identity, he was easily discovered and brought to trial. Other such internet extortion schemes involve deliberate attempts to hide one’s identity and the source of communications, for instance by looping and weaving messages through various servers or by establishing email accounts that are anonymous or based on fraudulent credit card information. An extortionist can also use encryption methods to communicate in secrecy with the targeted victim on public forums such as a computer bulletin board.

Second, in other extortion plots, the digital technology may become the target of the threat. The technology itself may be valuable to the victim because of the information and data that it contains or, as in the case of the websites, because it is a source of income or represents an important element in a person’s or organization’s public image. Extortion threats have been reported whereby the owners of websites were threatened to have their posted information deleted. On other occasions, the webpages were already disabled after which a threat was made to have the website restored. Another manifestation of this form of internet extortion is website defacement, whereby a website is transformed into pages that contain obscenities or a weblink pointing to a competing organization.

A related method of internet extortion is a denial-of-service attack that makes websites unusable. In February 2004, for example, such attacks were launched against the website of the Recording Industry Association of America with a demand to stop prosecuting people who share music on the internet. When the demand was not met, the website became temporarily inaccessible. Internet gambling sites have been among the preferred targets of denial-of-service attacks. A few years ago, for example, some individuals emailed the operator of the Bet Costa Rica International Sportsbook website, which receives about $2 billion in bets every year. The emailers demanded $40,000 under threat of disabling the site.

In a third form, the digital technology can be used as a medium for the disclosure of embarrassing or harmful information about the victim. The word-wide popularity of the internet has made it possible for information about people and institutions to be available to a global community of spectators. Extortion cases are known whereby celebrities were threatened to have embarrassing pictures posted online unless payments were made.

Fourth, a digital information system can be used as a means of enabling payments or for concealing payments that are part of an extortion plot. In traditional forms of extortion, the moment that payment is made typically exposes the extortionist to the victim, who might have solicited the help of law enforcement authorities. With the internet, however, online payments can be made that involve electronic transfers to various accounts in multiple jurisdictions.

And, fifth, digital technologies can be used as additional instruments in an extortion scheme. The internet contains a lot of information about people, oftentimes posted without their knowledge, and such information can be easily gathered with the help of search engines and software packages. It is relatively easy for an extortionist to so find out embarrassing details about a potential victim.

Characteristics of Internet Extortion

Internet extortion schemes are observed in many parts of the world (Bednarski 2004). Especially at a more organized level, internet extortion has been repeatedly discovered in the Eastern European countries that have only relatively recently seen their economies move to a free market model. The resulting enhanced opportunities of legitimate economic conduct have also brought about new means for illegitimate enterprises. In most advanced-capitalist nations of the world, however, these opportunities have long existed and fueled an individualist culture that besides many legitimate actions also facilitates extortion. Internet extortion is thus a truly global phenomenon.

The perpetrators of internet extortion can be singular individuals as well as organized crime groups. For example, a group of hackers who had unsuccessfully tried to extort the credit card company Visa, demanding several million dollars in return for credit card information they had stolen, upon their arrest turned out to be a relatively small group of people in their late teens and early twenties. Similarly, the members of a Russian extortion gang, which had demanded several thousands of dollars from owners of gambling websites, were discovered to be just three people, one of whom was a 21-year old college student. On a more organized level, some cyber extortionists function as ‘information merchants,’ who conduct a veritable business in the sale of information and extortion schemes to obtain substantial monetary profits (Bednarski 2004).

The response to extortion threats by the targeted victims also differs. When few years ago a gambling website received an extortion threat a week before a major sport event, the company that owned the site decided not to pay the extortionists, resulting in a two-day period of denial-of-service attacks that disabled the site. But other site owners have given in to the extortion demands. The gambling site MVPsportsbook, for instance, paid extortionists a sum of money that was asked for, because it was judged financially beneficial to do so relative to losing revenue from a disabling of the site.

Regulation and Enforcement Policies

Like other cybercrimes, internet extortion has been subject to legal regulation and law enforcement control (Grabosky, Smith and Dempsey 2001). Existing laws on extortion can be applied to internet extortion schemes, but many countries have passed separate laws concerning extortion involving digital technologies. In the United States, the Computer Fraud and Abuse Act (1996), for instance, criminalizes any act of extortion involving computerized means. Other legal means to suppress extortion involve the application of regulations related to extortion cases, such as by means of copyright laws that protect information and on the basis of confidentiality clauses that prohibit to reveal certain kinds of information.

From a policy viewpoint, the popularity of the internet and its spread across the globe pose special problems of law enforcement related to the technological sophistication and international nature of many cybercrimes (Deflem and Shutt, forth.; Grabosky, Smith and Dempsey 2001). Many nations have developed explicit criminal codes against cybercrimes. Accompanying these new laws, law enforcement units specializing in cybercrimes and other high-technological offenses have been set up within the police and security services of many nations. International cooperation among these law enforcement units in extortion cases can rely on Mutual Legal Assistance Treaties that specify cooperation in various aspects of investigation and prosecution.

An important challenge for law enforcement in the case of internet extortion is to retrieve the identity and location of the perpetrator. Encryption of electronic messages enhances the difficulties in tracing the source of internet extortion. And, as is the case with all forms of extortion, the victims of internet extortion schemes are not always willing to report the offense and reveal their vulnerability. Preventive measures are therefore in order to protect against potential extortion schemes in cyberspace.

Bibliography
  • Bednarski, Gregory M. 2004. “Enumerating and Reducing the Threat of Transnational Cyber Extortion against Small and Medium Size Organizations.” InformationWeek (September 2004). Available online at: http://www.informationweek.com/1005/report.htm (Date of access: February 16, 2005).
  • Deflem, Mathieu, and John E. Shutt. Forth. “Law Enforcement and Computer Security Threats and Measures.” In The Handbook of Information Security, edited by Hossein Bidgoli. Hoboken, NJ: John Wiley & Sons, forthcoming.
  • Denning, Dorothy E. and William E. Baugh, Jr. 2000. “Hiding Crimes in Cyberspace.” Pp. 107-131 in Cybercrime: Law Enforcement, Security and Surveillance in the Information Age, edited by Douglas Thomas and Brian D. Loader. London: Routledge.
  • Grabosky, Peter and Russell G. Smith. 2001. “Telecommunication Fraud in the Digital Age: The Convergence of Technologies.” Pp. 29-43 in Crime and the Internet, edited by David S. Wall. London: Routledge.
  • Grabosky, Peter, Russell G. Smith, and Gillian Dempsey. 2001. Electronic Theft: Unlawful Acquisition in Cyberspace. Cambridge, UK: Cambridge University Press.