How a Bookmaker and a Whiz Kid Took On a DDOS-based Online Extortion Attack

Facing an online extortion threat, bookmaker Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them.

By Scott Berinato

Page 9

The DNS servers were overloaded, and Phoenix got tense.

Costa Rica had been tense for nearly a week (as much as half a million dollars in lost revenue), but now BetCris was bordering on despair. Mickey Richardson lacked sleep, and he struggled to make decisions and lead. His IT staff was fracturing, feeling impotent as they watched the attacks and waited for Lyon. BetCris's small call center staff was getting abused around the clock by customers calling in to vent frustration and demand to know what the heck was going on. The simple task of creating a smart message about what was happening eluded Richardson. "You can't just have your call center staff tell people you were hacked," Richardson says, because it creates more questions than answers.

At the same time, his decision not to pay the extortionists was affecting other wagering sites that shared the same ISP and were experiencing network problems. "I'm getting calls from friendly competitors saying, 'Look, Mickey, we paid. Just pay. We're going down because of you.'"

He was running out of time and energy. Richardson remembers around this time having to update his staff—275 or so people who weren't entirely sure they'd have a job soon—and he couldn't even find words. He thought, "I wish they could read my mind because I'm too exhausted to explain it anymore. I don't have any answers."

In hindsight, Richardson says, he would have spent more time preparing for these human issues attached to the crisis—decision making under pressure, keeping the staff together—and less time worrying about technical defenses. Yes, create those technical defenses and make sure you have a crisis response plan. But also focus more on issues like exhaustion and emotional distress, and how they can be handled.

It was in this context that Richardson received an e-mail, at 11:12 a.m. It caused him to feel, for the first time, "blind fear."

"I would like to thank you for not keeping your end of the deal and making this upcoming weekend an enjoyable one for me." The extortionists demanded $75,000, but then seemed to disregard the money. "I do not care how long I have to destroy your business and I will. You will learn the hard way that you do not make a deal and then f*** around with us.... Let the games begin."

Richardson would soon learn they were not bluffing. They could destroy his business, and they were going to try. For BetCris to survive, Lyon's slapdash system in Phoenix, which was just starting to find its purchase, would have to stand up to the biggest DDoS attack any of them had ever seen.