Botnets can be used to blackmail targeted sites

SAN FRANCISCO - Botnets work beautifully for blackmail.

Cyberextortionists have perfected denial-of-service attacks, in which thousands of bots are directed to bombard a targeted website with nuisance requests, effectively preventing anyone else from connecting to the site.

STORY: Botnet scams are exploding

The crooks threaten to paralyze websites for video games, financial institutions and small e-commerce businesses - unless the website owners pay protection money.

Denial-of-service attacks using armies of bots are as "a big a business as ever," says Dmitri Alperovitch, director of intelligence analysis for Secure Computing. In late February, it detected a large botnet attack on more than two dozen gambling sites in what appeared to be an extortion shakedown, he says.

Bots come cheaply. A network of several thousand compromised PCs cost $1,000 to $2,000 a day and are often sold by the people who run them, called bot-herders. That's enough to take down a business unwilling to pay $30,000 to $60,000 in protection money, says Jose Nazario, senior security researcher at Arbor Networks. And launching attacks are just a Google search away, since several botnets for hire are listed online, says Mark Sunner, chief security analyst at MessageLabs.

Some bot-herders are offering steep discounts because there are so many botnets available for hire, says Nazario. His company reports that botnets used in denial-of-service attacks number in the tens of thousands - twice as many as a year ago.

Still, much of the crime goes unreported because it is targeted at gambling sites, which are illegal in the USA, Alperovitch says. "It's the perfect victim profile: They will pay a lot to get the attack to stop since they are losing money, and they are unlikely to report the attack to U.S. law enforcement.

Swartz reported from San Francisco, Acohido from Seattle.