Criminal motivations: One big reason DDoS attacks are exploding in popularity

May 16, 2017 8:35am


DDoSDistributed denial of service (DDoS) attacks have become some of the most pervasive threats to websites and businesses on the internet today. From the DDoS-for-hire services that are cheaper and easier to access than ever to the Internet of Things (IoT) devices making it simple for attackers to build massive zombie armies to the tempting attention these attacks gain in the media as well as on social platforms, it would be shocking if DDoS attacks weren’t some of the biggest attack types going.

However, there’s one big motivating factor at the heart of DDoS attacks – the one that spurs on botnet builders and drives hackers to target major websites with major attacks. It’s the root of all evil, it’s what makes the world go ‘round, and it’s the reason website and business owners are going to be ducking and covering for the foreseeable future.

It’s money.

Details on DDoS damage

A DDoS attack is a cyber attack that uses the distributed power of a botnet, a network of hijacked internet-connected devices, to barrage a target website or online service with a large amount of malicious traffic in order to deny its services to legitimate users.

There are both immediate and long-term consequences of a successful attack. Most notably, an immediate loss of traffic or revenue from users being unable to access the site while it is down can lead to a long-term loss of traffic and revenue when users or customers experience a loss of trust or loyalty. Powerful DDoS attacks can also cause hardware and software damage. In terms of quantifiable monetary losses, a distributed denial of service attack can cost a large organization between $20,000 and $100,000. And this isn’t even taking any of the above consequences into consideration.

There are three main avenues through which cybercriminals can make serious money from DDoS attacks:

DDoS dollar maker #1: DDoS for hire services

DDoS for hire services are pervasive internet pests that have made it possible for the average person with practically no technical computer skills to fire off a distributed denial of service attack for as little as $5. These services are swelling in popularity, which means all the hackers behind them have to do is build a botnet, hit a website with an attack in order to demonstrate the botnet’s abilities and then sit back and rake in the cash over PayPal or Bitcoin. The Lizard Squad has famously done just this, as have –reportedly – the hackers behind the behemoth IoT-powered Mirai botnet.

Potential profit: An internet security company completed a review of the dark web last year where these services can often be purchased and found that the average going rate of a DDoS attack was $25/hour, with the cybercriminals behind the service making about $18/hour. In 2015 researchers found that three of the top for-hire services had launched over 600,000 attacks. With an $18/hour profit, that equals out to $10.8 million. As for that big bad Mirai botnet? Access to 50,000 bots from what is allegedly the Mirai botnet runs between $3,000 and $4,000 for a two-week period. 

DDoS dollar maker #2: extortion

Speaking of Mirai, a second method hackers use for ill-gotten distributed denial of service gains is extortion. Back when the Mirai botnet slammed the Dyn DNS server with a record-breaking 1.2 Tbps attack, taking major sites like Twitter, Netflix and Reddit offline, it was rumored the group behind the attack had attempted to extort a significant sum of money in exchange for not launching the attack. DDoS ransom attempts are perpetrated by attackers of all kinds, from bored kids using DDoS-for-hire services all the way up to pros with IoT botnets. In the aftermath of attacks like the one on Dyn, the hackers who can demonstrate serious DDoS firepower will successfully extort large sums.

Potential profit: With neither hackers nor victims wanting to admit to the numbers actually involved in this shady business, it’s hard to come up with even an estimate of how much attackers could be making. However, a group simply pretending to be a high-profile DDoS attack group collected more than $100,000 in just two months, so imagine what actual hackers could be making.

DDoS dollar maker #3: stolen data

Last but not least, hackers can use distributed denial of service attacks as smokescreens for intrusions. For example, a hacker can use DDoS to distract organization’s security team while sensitive data is stolen from the organization’s databases. This information can then either be used by the hackers, such as in the case of financial data like payment card information, or sold on the black market, such as in the case of healthcare data or intellectual property.

Potential profit: As of 2015, a single healthcare record was reportedly worth $50 on the dark web’s black market. Considering many healthcare breaches see hundreds of thousands or even millions of healthcare records stolen, there is big money to be made in intrusions.

An ongoing threat

There’s nothing quite like the almighty dollar to encourage criminals in their pursuits, and there are a whole lot of almighty dollars up for grabs in the DDoS game. Website and business owners feeling the DDoS threat basically have three options: 1) wait it out until DDoS attacks are no longer lucrative, 2) wait it out until criminals are no longer motivated by money or 3) invest in professional DDoS protection. So if we’re being honest, website and business owners feeling the DDoS threat basically have one option. Get DDoS protection. It’s what makes sense.

About the authors

Chloe Marchbank is an enthusiastic freelance writer, currently working for various businesses across a variety of sectors. She is passionate about gaining experience and making a name for herself. 

Benjamin Stone is a seasoned writer and technology enthusiast. He has written various articles on the topics of cyber security, e-commerce and customer experience solutions and continues to research the latest state-of-the-art digital tools. In his spare time Benjamin enjoys reading finance magazines and outdoor sporting activities.