(U//FOUO) DHS Bulletin: Cyber Criminals Combine Tactics for Extortion

The following bulletin from the Department of Homeland Security’s Cyber Intelligence Analysis Division describes extortion scams using telephony-based denial-of-service (TDoS) attacks, particularly those launched against public safety answering points (PSAP) and other public infrastructure.  Several similar bulletins were issued earlier this year and reported by Brian Krebs.

Office of Intelligence and Analysis (I&A), Cyber Intelligence Analysis Division

  • 6 pages
  • For Official Use Only
  • October 17, 2013


(U//FOUO) This Note describes a new combination of tactics by cyber criminals that disrupts telephone systems of targeted organizations. This information is provided to assist and inform the Department and federal, state, local, territorial, tribal, and private sector partners in mitigation efforts regarding criminal activity that could affect their operations.

(U) Key Judgment

(U//FOUO) Criminals are combining traditional extortion scams with telephony-based denial-of-service (TDoS) attacks for financial gain. We assess this tactic could be leveraged by malicious cyber actors to disrupt communications services related to critical infrastructure.

(U//FOUO) New Extortion Schemes Use Telephony-Based Denial-of-Service Attacks

(U//FOUO) Criminals since at least January 2012 have attempted to extort money from military personnel and local government offices by employing a tactic commonly referred to as a “payday loan” scam. Law enforcement and open source reporting have detailed numerous incidents where criminals have obtained personal identifying information (PII) of potential victims to execute scams. In these instances, the criminals phone the employee’s office and demand that the employee repay an alleged loan; if the victim does not comply, the criminals initiate TDoS attacks against the offices or organizations of the targeted employee. TDoS differs from other telephone disruptive techniques by the number of calls generated; by occupying lines continuously with repeated automated calls, the victim is prevented from making or receiving telephone calls. Criminal actors use robocalling as a TDoS tactic designed to block all incoming and outgoing phone calls.

» (U//FOUO) The US Coast Guard (USCG) in late May 2013 reported that an individual called a USCG cutter claiming a crewmember was late on his loan payments. The subsequent TDoS attack flooded the ship’s telephone network with several rounds of phone calls, completely disrupting phone service. The calls lasted from 1 to 15 minutes in length, and each round of calls lasted from 10 minutes to 2 hours. The targeted crewmember from the cutter had recently received notice from his bank that his accounts had been hacked and his PII had been compromised.

» (U//FOUO) Between 28 January and 3 March 2013, the public safety answering point (PSAP) for a south-central region sheriff’s office received a request to repay the loan of an individual, whom the caller believed was an employee of the PSAP. A TDoS attack followed this request, disrupting business lines.

» (U//FOUO) Between 14 January and 6 March 2013, a south-central region state legislative office experienced a TDoS attack in which the caller requested a former employee by name and claimed the individual owed money. The TDoS attacks began after the legislative office refused to pay. The office received approximately 100 calls per minute, completely tying up the office’s business lines.

(U//FOUO) In all incidents, individuals—not organizations—were the initial extortion targets, and the caller had information identifying them as current or former employees of the attacked organizations. The victims were likely selected for extortion through the exploitation of their PII. The TDoS activity against the south-central region PSAP and state legislative office may have been conducted by the same attacker as the description of the caller’s voice and the sequencing of the disruptive activities were very similar.

(U//FOUO) Old Techniques, New Spin

(U//FOUO) Neither TDoS attacks nor payday loan scams are new. Their combination,however, represents a change in tactics for malicious actors.

(U//FOUO) FBI in December 2010 released information from the Internet Crime Complaint Center (IC3) regarding extortion attempts involving payday loans. In most instances, victims—who may or may not be behind on loan payments—were contacted by malicious actors who stated the actor was in a position of authority to collect on the victims’ loans. The targeted victims were told they were late on payments and must make payments to avoid legal action. Victims were instructed on how to make the payments.

(U//FOUO) TDoS is not a sophisticated technique and is similar to employing robocall-capability used by telemarketers, albeit on a much larger scale.

» (U//FOUO) Companies sell legitimate telemarketing auto-dialer software for $195 to $495. This software, when combined with a Voice over Internet Protocol (VoIP) line and used by malicious actors, can create a low-cost capability for criminal activity.

» (U//FOUO) Cyber criminals also advertise TDoS attack services on underground forums, with prices ranging from $30 per hour to $20 per day based on the length of the TDoS and the call density.

Share this: