How a Bookmaker and a Whiz Kid Took On a DDOS-based Online Extortion Attack

Facing an online extortion threat, bookmaker Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them.

Yet you probably haven't thought much about online extortion unless you've been targeted. As with fraud, a certain shame attaches itself to victims, especially those who choose to pay protection fees. Even antiextortion consultants participate in a code of silence. One such company contacted for this story declined to comment "because we feel it brings attention to the crime."

That's why we're telling this story—to bring attention to the crime. To enable readers to learn from a real-world case what worked in an extortion crisis and what didn't. To sort out the choices one has before the choices one has are dictated by an e-mail.

Saturday, Nov. 22, 2003: Pleas for Time—and Help

Richardson and Lebumfacil decided to reply to the extortionists' e-mail. They stalled. Lebumfacil, the network administrator, recalls the pleading tone of their missives. (They sent several.) They'd say that they would lose their jobs if they didn't get more time. Richardson reluctantly admits that he feigned a family emergency and begged the extortionists to give him time until he could return from that to set up a payment.

Meanwhile, Lebumfacil and the IT team tried in vain to stop the attacks and get BetCris back online. The equation was simple: Downtime equals lost revenue. Richardson says the company stood to lose $1.16 every second, as much as $100,000 per day.

He tracked down Barrett Lyon, who was in Phoenix helping another company fight off a DoS attack. Lyon told Richardson to call the off-the-shelf equipment vendor. (He did. No help.) Call the ISP. (It couldn't help, either.)

Lyon says he sensed desperation, and he was right. Lebumfacil, who had a 5-month-old daughter at home, says, "I thought about losing my job. I thought about the company going out of business. There was a lot of money on the line. It was a constant state of panic." That night he tried in vain to sleep and says he even entertained the fantasy that "everything could be OK in the morning."

But it wasn't OK in the morning. At 10:01 a.m. on Sunday, Richardson got another e-mail. This one sounded less like a threat and more like the start of negotiations. "Dear Mickey, The attacks have been stopped 2 hours prior to the last e-mail. Your site is back up for most and should be up for all shortly...P.S. We will e-mail you Monday."

Still, Richardson wasn't encouraged. The site wasn't up at all; it only came to life sporadically and for short periods of time. No one knows for sure, but the extortionists might have stopped their attack. At some point, the downtime was the result of BetCris's ISP deciding to null-route the site's traffic. Null-routing means the ISP collects all of the traffic going to a site and drives it into the ground. This frees up the ISP's pipes when a site it hosts is receiving massive amounts of DoS attack traffic; even if the extortionists stopped attacking, the site would stay down.