It used to be that if a teenager were going to cause hundreds of thousands or even millions of dollars worth of damage to your business, the incident would have to involve your kid, your car, and a load-bearing wall of your brick and mortar storefront. As it turns out, those were the good old days.
Now we live in a murky world of frequent cyberattacks and their big-time associated damages, and while it’s all too easy to imagine state-sponsored Russian hackers, underhanded competitors or grizzled hired professionals behind them, that is very often not the case.
The real question is – is your business teen-proof?
Weapon of choice
Rare is the business or website owner who doesn’t involuntarily shudder at the mention of a distributed denial of service or DDoS attack. For good reason. The oft-cited attack cost of between $20,000 and $100,000 per hour is calculated by totaling up the costs of mitigating the attack, and restoring the services that were brought down. That’s it.
What about the cost of lost revenue, interrupted business processes and reputational damage, you might wonder, slow horror creeping across your face. That’s right, those five and six-figure per hour estimates don’t even take into account what might end up being some of the biggest costs of all. It’s unbelievable enough that a single person can do this kind of damage to a business without even stepping foot in it, without even being in the same country as it. It gets even worse to think the person responsible may have just gotten home from band practice.
Fun and games
At the end of January, Dutch intelligence agency AIVD was outed as the source of information that prompted the US’s investigation into Russian interference in the US presidential election. Shortly thereafter a number of Dutch financial institutions buckled in the face of DDoS attacks, as did the country’s tax authority and a range of online government services. The attacks carried on over the course of almost a week, crippling the Dutch financial system. Through the chaos and unrest, however, no one was surprised. Russia is well-known in the international community for their state-sponsored cyberattacks, and the Netherlands were firmly in Russia’s crosshairs. These were the types of high-stakes cyberattacks that had prompted multinational treaty organizations to declare cyberspace a domain of war.
Several days later, a Dutch 18-year-old was arrested for the attacks. He’d found it funny when everyone started blaming the Russians, he said, and overall he’d set out to prove a teenager could take down banks. Declare this one a mission accomplished, especially compared to the attack he launched at a smaller Dutch bank four months earlier, the one he had to atone for with 10 hours of community service because, as the victim bank stated, he was a kid, still in school, and pressing charges could destroy his life.
Identified as Jelle S., this teenage attacker is a high-profile example of a common problem. Whether they’re building their own botnets, renting out ready-made stresser tools or even leading infamous hacking groups, teens have found a way to cause a whole new level of trouble. Some are in it for money, like Manchester’s Jack Chappell who was recently convicted of launching thousands of on-demand attacks for the vDOSstresser, or the also recently-convicted Adam Mudd who made over $500,000 USD launching 1.7 million attacks by the time he was 18. Some are in it for the internet fame, like PoodleCorp and Lizard Squad members Zachary Buchta and Bradley van Rooy, both arrested for running DDoS for hire services. And some, like Jelle S., simply do it because it’s funny. It’s entertainment. It’s something to do when you can’t find anything you want to watch on Netflix.
Consider the source
No matter where it comes from or who’s behind it, a distributed denial of service attack is of course going to be awful. However, there’s at least a little dignity to think that your business was taken down by a state-sponsored hacking team or a guy who’s been doing it on the dark web for two decades. Shelling out hundreds of thousands of dollars and knowing you’re paying through the nose because, in all likelihood, a teenager was bored is a whole other kind of pain, one that far too many websites and businesses are experiencing. Get cloud-based DDoS protection. Stop the madness. Stop the teens.