[ISN] Deleting Online Extortion

[InfoSec News]

http://www.latimes.com/news/yahoo/la-fi-extort25oct25,1,6874439.story

By Joseph Menn
Times Staff Writer
October 25, 2004

To an old-time bookie like Mickey Richardson, $500 in protection money 
was chump change.

So when he got an e-mail from gangsters threatening to bring his 
online sports betting operation to its knees, he paid up.

Before long, though, the thugs wanted $40,000. And that ticked him 
off. 

"I'm stubborn," said Richardson, who runs Costa Rica-based 
BetCRIS.com. "I wanted to be the guy that says, 'I didn't pay, and I 
beat them.' "

Richardson couldn't figure the odds, but he was determined to fight 
what's fast becoming the scourge of Internet-based businesses: 
high-tech protection rackets in which gangs of computer hackers choke 
off traffic to websites whose operators refuse their demands. 

Rather than brass knuckles and baseball bats, the weapons of choice 
for these digital extortionists are thousands of computers. They use 
them to launch coordinated attacks that knock targeted websites 
off-line for days, or even weeks, at a time.

The shakedowns generate millions of dollars. Many Internet operators 
would rather pay protection money than risk even greater losses if 
their websites go down. 

After more than a year perfecting their techniques on gambling and 
pornographic websites, the gangs are starting to turn their talents to 
mainstream e-commerce operations.

"It's pretty much a daily occurrence that one of our customers is 
under attack, and the sophistication of the attacks is getting 
better," said Ken Silva, a vice president at VeriSign Inc., the 
company that maintains the ".com" and ".net" domain name servers and 
provides security to many firms. 

Last month, Authorize.net, one of the biggest credit-card-services 
processors for online merchants, was hit repeatedly over two weeks, 
leaving thousands of businesses without a means to charge their 
customers.

* In April, hackers silenced Card Solutions International, a Kentucky 
  company that sells credit card software over the Web, for a week 
  after its owner refused to pay $10,000 to a group of Latvians. Only 
  after switching Internet service providers could the company come back 
  online.

* In August, a Massachusetts businessman was indicted on charges of 
  orchestrating attacks on three television-services companies - 
  costing one more than $200,000. The case against Saad Echouafni is 
  one of the rare instances in which alleged attackers have been 
  identified and charged. Echouafni skipped bail.

Many more attacks go unreported. "You're just seeing the tip of the 
iceberg," said Peter Rendall, chief executive of the Internet filter 
maker Top Layer Networks.

Richardson was intent on keeping his ship afloat.

BetCRIS, short for Bet Costa Rica International Sportsbook, takes 
about $2 billion in bets every year from gamblers around the world. 
Most are placed online. After customers complained early last year 
that the website seemed sluggish, Richardson felt a little relieved 
when an anonymous hacker e-mailed an admission that he had launched a 
denial-of-service attack against BetCRIS.

The hacker wanted $500, via the Internet payment service e-Gold.

That seemed like a bargain to Richardson. He paid up and promptly 
spent thousands more on hardware designed to weed out unfriendly Web 
traffic. "I was thinking if this ever happens again," he said, "we 
won't have a problem."

The Saturday before Thanksgiving, Richardson found out how wrong he 
was. An e-mail demanded $40,000 by the following noon. It was the 
start of one of the biggest betting weeks of the year, with pro and 
college football as well as basketball.

Richardson didn't respond. 

The next day, BetCRIS crashed hard.

About the same time, other betting sites were getting hit too. The 
threats came in mangled English: "In a case if you refuse our offer, 
your site will be attacked still long time." Some sites were shut down 
for weeks. 

Costa Rican law enforcement was ill-equipped to deal with computer 
hackers thousands of miles away. Given the shaky legality of offshore 
betting, seeking help from U.S. authorities wasn't an attractive 
option.

So the bookie in Costa Rica turned to Barrett Lyon, a spiky-haired 
philosophy major from Sacramento.

Lyon had consulted for a major provider of odds to casinos, Don Best 
Sports, after the Las Vegas company had been hacked, and he had helped 
ward off a denial-of-service attack there in 2000.

 From his condominium in Sacramento, Lyon quickly realized how much
the landscape had changed since then.

Instead of using a few machines, the extortion gangs control hundreds 
of thousands, often the personal computers of people with high-speed 
DSL lines or cable modems. Most of the PCs were compromised with a 
series of worms and viruses that began appearing last summer. They 
spread most easily to machines without firewalls and automated 
patching from security companies. 

The infections force computers to listen for further instructions from 
a new program or direct them to check with master machines. The 
resulting armies of computer "bots" - short for robots - are used for 
sending spam and stealing financial information in addition to 
launching denial-of-service attacks.

As the written code of instructions for the malicious programs has 
spread, hackers have tinkered with them to suit their own ends, even 
renting out their mechanical legions for as little as a few hundred 
dollars an hour, experts said.

The attacks on BetCRIS and other offshore sports books began as modest 
efforts in which an unknown number of computers initiated contact with 
the targets over and over. Lyon and a small team installed new 
hardware and wrote programs to weed out such traffic.

But every move they made was matched by what Lyon came to believe was 
a sophisticated group on the other side. The site would reappear for 
minutes or hours and then crash again, once going down just as 
Richardson had begun celebrating.

Through Thanksgiving and beyond, the hackers taunted Richardson, 
boasting that they would make an example of him. Sleepless for nights 
on end, Richardson gave pep talks to the more than 200 employees at 
the firm.

Meanwhile, Lyon and partner Glenn Lebumfacil designed a new 
infrastructure for BetCRIS, one that relied on massive computing power 
far away from Costa Rica. Based in Phoenix, the new computers absorbed 
mammoth assaults without crashing. And the system cloaked the target 
sites so the hackers could see almost nothing about where their 
traffic was going. That kept the bad guys from pinpointing weaknesses 
in specialized machines inside the network.

The defenses held. But Lyon was already thinking about offense.

So he turned spy.

Although the individual machines used in the attacks were scattered 
around the world, Lyon used some common software flaws to track them 
further. They were all taking orders from computer servers hosting a 
form of anonymous online chat called IRC, for Internet Relay Chat. 

Lyon joined the IRC channels as "hardcore," laboring to adopt just the 
right persona as he gossiped with the regulars. He pretended to be a 
bot program author from Vancouver, Canada, who had 250 machines under 
his control but had been away from the scene for a while. He watched 
as chat participants monitored attacks on Microsoft.com and 
BetCRIS.com.

During hours of online talks from January to March of this year, Lyon 
offered to improve the others' attack program and lend his own zombie 
computers to their efforts. "i could re write it," Lyon typed at one 
point. "i did it last semester in school for a test - just to see how 
fast I could scan large groups of machines."

Some members of the chat channel accepted his overtures.

One, nicknamed "eXe," began making mistakes. He logged on from his 
home Internet service provider. A private file transfer gave away his 
true Internet address. And as late-night conversations turned social, 
he let slip his real first name - Ivan - and that he was a 21-year-old 
college student in Russia.

Lyon had been working with the FBI to shut down some of the U.S.-based 
computers used in the attacks on the bookmakers. But without a U.S. 
victim, the agency was unwilling to launch its own investigation.

It was a different story with the British authorities. After testing 
the waters with the bookies in Latin America, the Russian gang had 
turned to similar companies based in England and Australia, where 
gambling firms are legal.

Soon almost every significant British betting firm had been hit at 
least once, and the matter grew to be a top priority for the 
London-based National Hi-Tech Crime Unit.

One of the first British firms to be targeted, CanBet Ltd., had turned 
to the Hi-Tech Crime Unit in the fall and agreed to send traceable 
money to a list of names in Latvia provided by the extortionists. The 
unit sent a team to watch the pickup spots, along with local police, 
and the crew was alarmed to see the Latvians pick up cash sent by 
other businesses around the world.

"That was our first sign that this was big - where was all this money 
coming from?" said Det. Supt. Mick Deets, deputy head of the Hi-Tech 
Crime Unit. 

In a meeting in Los Angeles with the FBI and British agents, Lyon 
passed along what he and his team had learned. "They were of 
significant assistance," Deets said.

The ultimate "gotcha" came shortly after the L.A. meeting, when the 
hacker eXe used that same handle on an IRC network that listed a 
private e-mail address for him. Other records showed that the domain 
name in that e-mail address - "security-system.cc" - was owned by an 
Ivan Maksakov. 

"eXe made a HUGE mistake!" Lyon crowed in a March 13 e-mail to the 
Hi-Tech Crime Unit and the FBI. 

Armed with the results from the money trail and Lyon's information, 
the British authorities went to the Russian Interior Ministry and 
suggested several arrests, including that of Maksakov, who lived in 
Saratov. In late July, police picked him up, along with a 23-year-old 
St. Petersburg man and a 24-year-old in Stavropol. Two other suspects 
are being sought.

Most known members of the ring are students who communicated entirely 
online, Interior Ministry spokesman Anatoly Platonov said.

The group had taken in hundreds of thousands of dollars in extortion 
money, Deets said. Including lost profits at the bookmakers, at least 
two major banks and other targets, the ring caused about $90 million 
in damage, Platonov said. 

Lyon has mixed feelings about the sting against Maksakov, who told 
Lyon he made only $2,000 a month for fairly sophisticated work. "It's 
not going to get better with one or two kids put in prison," Lyon 
said.

But that's good for his new business, Prolexic Technologies Inc., 
which is based in Hollywood, Fla. His sting operation for BetCRIS 
produced a dozen clients. Prolexic is on track to bring in $2 million 
this year.

Alexei V. Kuznetsov of The Times' Moscow Bureau contributed to this 
report.