Deleting Online Extortion
To an old-time bookie like Mickey Richardson, $500 in protection money was chump change.
So when he got an e-mail from gangsters threatening to bring his online sports betting operation to its knees, he paid up.
Before long, though, the thugs wanted $40,000. And that ticked him off.
“I’m stubborn,” said Richardson, who runs Costa Rica-based BetCRIS.com. “I wanted to be the guy that says, ‘I didn’t pay, and I beat them.’ ”
Richardson couldn’t figure the odds, but he was determined to fight what’s fast becoming the scourge of Internet-based businesses: high-tech protection rackets in which gangs of computer hackers choke off traffic to websites whose operators refuse their demands.
Rather than brass knuckles and baseball bats, the weapons of choice for these digital extortionists are thousands of computers. They use them to launch coordinated attacks that knock targeted websites off-line for days, or even weeks, at a time.
The shakedowns generate millions of dollars. Many Internet operators would rather pay protection money than risk even greater losses if their websites go down.
After more than a year perfecting their techniques on gambling and pornographic websites, the gangs are starting to turn their talents to mainstream e-commerce operations.
“It’s pretty much a daily occurrence that one of our customers is under attack, and the sophistication of the attacks is getting better,” said Ken Silva, a vice president at VeriSign Inc., the company that maintains the ".com” and ".net” domain name servers and provides security to many firms.
* Last month, Authorize.net, one of the biggest credit-card-services processors for online merchants, was hit repeatedly over two weeks, leaving thousands of businesses without a means to charge their customers.
* In April, hackers silenced Card Solutions International, a Kentucky company that sells credit card software over the Web, for a week after its owner refused to pay $10,000 to a group of Latvians. Only after switching Internet service providers could the company come back online.
* In August, a Massachusetts businessman was indicted on charges of orchestrating attacks on three television-services companies -- costing one more than $200,000. The case against Saad Echouafni is one of the rare instances in which alleged attackers have been identified and charged. Echouafni skipped bail.
Many more attacks go unreported. “You’re just seeing the tip of the iceberg,” said Peter Rendall, chief executive of the Internet filter maker Top Layer Networks.
Richardson was intent on keeping his ship afloat.
BetCRIS, short for Bet Costa Rica International Sportsbook, takes about $2 billion in bets every year from gamblers around the world. Most are placed online. After customers complained early last year that the website seemed sluggish, Richardson felt a little relieved when an anonymous hacker e-mailed an admission that he had launched a denial-of-service attack against BetCRIS.
The hacker wanted $500, via the Internet payment service e-Gold.
That seemed like a bargain to Richardson. He paid up and promptly spent thousands more on hardware designed to weed out unfriendly Web traffic. “I was thinking if this ever happens again,” he said, “we won’t have a problem.”
The Saturday before Thanksgiving, Richardson found out how wrong he was. An e-mail demanded $40,000 by the following noon. It was the start of one of the biggest betting weeks of the year, with pro and college football as well as basketball.
Richardson didn’t respond.
The next day, BetCRIS crashed hard.
About the same time, other betting sites were getting hit too. The threats came in mangled English: “In a case if you refuse our offer, your site will be attacked still long time.” Some sites were shut down for weeks.
Costa Rican law enforcement was ill-equipped to deal with computer hackers thousands of miles away. Given the shaky legality of offshore betting, seeking help from U.S. authorities wasn’t an attractive option.
So the bookie in Costa Rica turned to Barrett Lyon, a spiky-haired philosophy major from Sacramento.
Lyon had consulted for a major provider of odds to casinos, Don Best Sports, after the Las Vegas company had been hacked, and he had helped ward off a denial-of-service attack there in 2000.
From his condominium in Sacramento, Lyon quickly realized how much the landscape had changed since then.
Instead of using a few machines, the extortion gangs control hundreds of thousands, often the personal computers of people with high-speed DSL lines or cable modems. Most of the PCs were compromised with a series of worms and viruses that began appearing last summer. They spread most easily to machines without firewalls and automated patching from security companies.
The infections force computers to listen for further instructions from a new program or direct them to check with master machines. The resulting armies of computer “bots” -- short for robots -- are used for sending spam and stealing financial information in addition to launching denial-of-service attacks.
As the written code of instructions for the malicious programs has spread, hackers have tinkered with them to suit their own ends, even renting out their mechanical legions for as little as a few hundred dollars an hour, experts said.
The attacks on BetCRIS and other offshore sports books began as modest efforts in which an unknown number of computers initiated contact with the targets over and over. Lyon and a small team installed new hardware and wrote programs to weed out such traffic.
But every move they made was matched by what Lyon came to believe was a sophisticated group on the other side. The site would reappear for minutes or hours and then crash again, once going down just as Richardson had begun celebrating.
Through Thanksgiving and beyond, the hackers taunted Richardson, boasting that they would make an example of him. Sleepless for nights on end, Richardson gave pep talks to the more than 200 employees at the firm.
Meanwhile, Lyon and partner Glenn Lebumfacil designed a new infrastructure for BetCRIS, one that relied on massive computing power far away from Costa Rica. Based in Phoenix, the new computers absorbed mammoth assaults without crashing. And the system cloaked the target sites so the hackers could see almost nothing about where their traffic was going. That kept the bad guys from pinpointing weaknesses in specialized machines inside the network.
The defenses held. But Lyon was already thinking about offense.
So he turned spy.
Although the individual machines used in the attacks were scattered around the world, Lyon used some common software flaws to track them further. They were all taking orders from computer servers hosting a form of anonymous online chat called IRC, for Internet Relay Chat.
Lyon joined the IRC channels as “hardcore,” laboring to adopt just the right persona as he gossiped with the regulars. He pretended to be a bot program author from Vancouver, Canada, who had 250 machines under his control but had been away from the scene for a while. He watched as chat participants monitored attacks on Microsoft.com and BetCRIS.com.
During hours of online talks from January to March of this year, Lyon offered to improve the others’ attack program and lend his own zombie computers to their efforts. “i could re write it,” Lyon typed at one point. “i did it last semester in school for a test ... just to see how fast I could scan large groups of machines.”
Some members of the chat channel accepted his overtures.
One, nicknamed “eXe,” began making mistakes. He logged on from his home Internet service provider. A private file transfer gave away his true Internet address. And as late-night conversations turned social, he let slip his real first name -- Ivan -- and that he was a 21-year-old college student in Russia.
Lyon had been working with the FBI to shut down some of the U.S.-based computers used in the attacks on the bookmakers. But without a U.S. victim, the agency was unwilling to launch its own investigation.
It was a different story with the British authorities. After testing the waters with the bookies in Latin America, the Russian gang had turned to similar companies based in England and Australia, where gambling firms are legal.
Soon almost every significant British betting firm had been hit at least once, and the matter grew to be a top priority for the London-based National Hi-Tech Crime Unit.
One of the first British firms to be targeted, CanBet Ltd., had turned to the Hi-Tech Crime Unit in the fall and agreed to send traceable money to a list of names in Latvia provided by the extortionists. The unit sent a team to watch the pickup spots, along with local police, and the crew was alarmed to see the Latvians pick up cash sent by other businesses around the world.
“That was our first sign that this was big -- where was all this money coming from?” said Det. Supt. Mick Deets, deputy head of the Hi-Tech Crime Unit.
In a meeting in Los Angeles with the FBI and British agents, Lyon passed along what he and his team had learned. “They were of significant assistance,” Deets said.
The ultimate “gotcha” came shortly after the L.A. meeting, when the hacker eXe used that same handle on an IRC network that listed a private e-mail address for him. Other records showed that the domain name in that e-mail address--"security-system.cc” -- was owned by an Ivan Maksakov.
“eXe made a HUGE mistake!” Lyon crowed in a March 13 e-mail to the Hi-Tech Crime Unit and the FBI.
Armed with the results from the money trail and Lyon’s information, the British authorities went to the Russian Interior Ministry and suggested several arrests, including that of Maksakov, who lived in Saratov. In late July, police picked him up, along with a 23-year-old St. Petersburg man and a 24-year-old in Stavropol. Two other suspects are being sought.
Most known members of the ring are students who communicated entirely online, Interior Ministry spokesman Anatoly Platonov said.
The group had taken in hundreds of thousands of dollars in extortion money, Deets said. Including lost profits at the bookmakers, at least two major banks and other targets, the ring caused about $90 million in damage, Platonov said.
Lyon has mixed feelings about the sting against Maksakov, who told Lyon he made only $2,000 a month for fairly sophisticated work. “It’s not going to get better with one or two kids put in prison,” Lyon said.
But that’s good for his new business, Prolexic Technologies Inc., which is based in Hollywood, Fla. His sting operation for BetCRIS produced a dozen clients. Prolexic is on track to bring in $2 million this year.
Alexei V. Kuznetsov of The Times’ Moscow Bureau contributed to this report.