How a Bookmaker and a Whiz Kid Took On a DDOS-based Online Extortion Attack

Facing an online extortion threat, bookmaker Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them.

When the attack finally came on that Saturday in November, sometime after that first e-mail but before 11:30 a.m., BetCris crashed hard. The off-the-shelf products Lyon had recommended survived less than 10 minutes. BetCris's ISP crashed, and then the ISP for BetCris's ISP crashed. Richardson ran to the IT department, where Lebumfacil was watching the biggest DoS attack he'd ever seen. He remembers feeling sick to his stomach.

At 1:03 p.m., another e-mail arrived. "I guess you have decided to fight instead of making a deal. We thought you were smart.... You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday." Then they knocked BetCris.com offline again.

The Extortion Problem

We know this about online extortion: It happens. Evidence of its prevalence or damage is speculative and anecdotal but useful nonetheless in guiding CSOs to understand the nature of the crime. Anecdotally, experts from law enforcement and information security consultants believe that perhaps one in 10 companies has been threatened with online extortion; in one survey by Carnegie Mellon University researchers, 17 out of 100 small and midsize businesses reported being targeted. Interviews with security consultants and industry players suggest that as many as three out of four cases of online extortion are never reported. Maybe a third or more of targeted companies pay extortion fees, drawing the money from disaster funds, acceptable loss budgets or insurance. Consultants like to tell stories of being called for help after companies pay protection money twice.

For CSOs and CISOs, it would be easy to view online extortion as indigenous to gambling sites, the karmic price one pays for choosing that line of work. It would also be wrong. True, the Thanksgiving-week attack on BetCris fronted a wave of extortion against gaming sites, but that wave has since ebbed (in part, we'll see, due to BetCris) while the online extortion phenomenon has not.

In fact, that wave of attacks against gaming sites, starting in late 2003 and going through mid-2004, appears to have been a training ground for extortionists. Now they've moved on, applying what they learned, along with more sophisticated technical tools, to attack far less prepared and more mainstream targets—such as online payment services, foreign currency exchanges and financial services companies. Here is a good rule of thumb: Anyone who could lose money by being offline is a potential online extortion target. And the more one stands to lose, the bigger the bull's-eye.