[ISN] Deleting Online Extortion
isn at c4i.org
Thu Oct 28 04:39:06 EDT 2004
By Joseph Menn
Times Staff Writer
October 25, 2004
To an old-time bookie like Mickey Richardson, $500 in protection money
was chump change.
So when he got an e-mail from gangsters threatening to bring his
online sports betting operation to its knees, he paid up.
Before long, though, the thugs wanted $40,000. And that ticked him
"I'm stubborn," said Richardson, who runs Costa Rica-based
BetCRIS.com. "I wanted to be the guy that says, 'I didn't pay, and I
beat them.' "
Richardson couldn't figure the odds, but he was determined to fight
what's fast becoming the scourge of Internet-based businesses:
high-tech protection rackets in which gangs of computer hackers choke
off traffic to websites whose operators refuse their demands.
Rather than brass knuckles and baseball bats, the weapons of choice
for these digital extortionists are thousands of computers. They use
them to launch coordinated attacks that knock targeted websites
off-line for days, or even weeks, at a time.
The shakedowns generate millions of dollars. Many Internet operators
would rather pay protection money than risk even greater losses if
their websites go down.
After more than a year perfecting their techniques on gambling and
pornographic websites, the gangs are starting to turn their talents to
mainstream e-commerce operations.
"It's pretty much a daily occurrence that one of our customers is
under attack, and the sophistication of the attacks is getting
better," said Ken Silva, a vice president at VeriSign Inc., the
company that maintains the ".com" and ".net" domain name servers and
provides security to many firms.
Last month, Authorize.net, one of the biggest credit-card-services
processors for online merchants, was hit repeatedly over two weeks,
leaving thousands of businesses without a means to charge their
* In April, hackers silenced Card Solutions International, a Kentucky
company that sells credit card software over the Web, for a week
after its owner refused to pay $10,000 to a group of Latvians. Only
after switching Internet service providers could the company come back
* In August, a Massachusetts businessman was indicted on charges of
orchestrating attacks on three television-services companies -
costing one more than $200,000. The case against Saad Echouafni is
one of the rare instances in which alleged attackers have been
identified and charged. Echouafni skipped bail.
Many more attacks go unreported. "You're just seeing the tip of the
iceberg," said Peter Rendall, chief executive of the Internet filter
maker Top Layer Networks.
Richardson was intent on keeping his ship afloat.
BetCRIS, short for Bet Costa Rica International Sportsbook, takes
about $2 billion in bets every year from gamblers around the world.
Most are placed online. After customers complained early last year
that the website seemed sluggish, Richardson felt a little relieved
when an anonymous hacker e-mailed an admission that he had launched a
denial-of-service attack against BetCRIS.
The hacker wanted $500, via the Internet payment service e-Gold.
That seemed like a bargain to Richardson. He paid up and promptly
spent thousands more on hardware designed to weed out unfriendly Web
traffic. "I was thinking if this ever happens again," he said, "we
won't have a problem."
The Saturday before Thanksgiving, Richardson found out how wrong he
was. An e-mail demanded $40,000 by the following noon. It was the
start of one of the biggest betting weeks of the year, with pro and
college football as well as basketball.
Richardson didn't respond.
The next day, BetCRIS crashed hard.
About the same time, other betting sites were getting hit too. The
threats came in mangled English: "In a case if you refuse our offer,
your site will be attacked still long time." Some sites were shut down
Costa Rican law enforcement was ill-equipped to deal with computer
hackers thousands of miles away. Given the shaky legality of offshore
betting, seeking help from U.S. authorities wasn't an attractive
So the bookie in Costa Rica turned to Barrett Lyon, a spiky-haired
philosophy major from Sacramento.
Lyon had consulted for a major provider of odds to casinos, Don Best
Sports, after the Las Vegas company had been hacked, and he had helped
ward off a denial-of-service attack there in 2000.
From his condominium in Sacramento, Lyon quickly realized how much
the landscape had changed since then.
Instead of using a few machines, the extortion gangs control hundreds
of thousands, often the personal computers of people with high-speed
DSL lines or cable modems. Most of the PCs were compromised with a
series of worms and viruses that began appearing last summer. They
spread most easily to machines without firewalls and automated
patching from security companies.
The infections force computers to listen for further instructions from
a new program or direct them to check with master machines. The
resulting armies of computer "bots" - short for robots - are used for
sending spam and stealing financial information in addition to
launching denial-of-service attacks.
As the written code of instructions for the malicious programs has
spread, hackers have tinkered with them to suit their own ends, even
renting out their mechanical legions for as little as a few hundred
dollars an hour, experts said.
The attacks on BetCRIS and other offshore sports books began as modest
efforts in which an unknown number of computers initiated contact with
the targets over and over. Lyon and a small team installed new
hardware and wrote programs to weed out such traffic.
But every move they made was matched by what Lyon came to believe was
a sophisticated group on the other side. The site would reappear for
minutes or hours and then crash again, once going down just as
Richardson had begun celebrating.
Through Thanksgiving and beyond, the hackers taunted Richardson,
boasting that they would make an example of him. Sleepless for nights
on end, Richardson gave pep talks to the more than 200 employees at
Meanwhile, Lyon and partner Glenn Lebumfacil designed a new
infrastructure for BetCRIS, one that relied on massive computing power
far away from Costa Rica. Based in Phoenix, the new computers absorbed
mammoth assaults without crashing. And the system cloaked the target
sites so the hackers could see almost nothing about where their
traffic was going. That kept the bad guys from pinpointing weaknesses
in specialized machines inside the network.
The defenses held. But Lyon was already thinking about offense.
So he turned spy.
Although the individual machines used in the attacks were scattered
around the world, Lyon used some common software flaws to track them
further. They were all taking orders from computer servers hosting a
form of anonymous online chat called IRC, for Internet Relay Chat.
Lyon joined the IRC channels as "hardcore," laboring to adopt just the
right persona as he gossiped with the regulars. He pretended to be a
bot program author from Vancouver, Canada, who had 250 machines under
his control but had been away from the scene for a while. He watched
as chat participants monitored attacks on Microsoft.com and
During hours of online talks from January to March of this year, Lyon
offered to improve the others' attack program and lend his own zombie
computers to their efforts. "i could re write it," Lyon typed at one
point. "i did it last semester in school for a test - just to see how
fast I could scan large groups of machines."
Some members of the chat channel accepted his overtures.
One, nicknamed "eXe," began making mistakes. He logged on from his
home Internet service provider. A private file transfer gave away his
true Internet address. And as late-night conversations turned social,
he let slip his real first name - Ivan - and that he was a 21-year-old
college student in Russia.
Lyon had been working with the FBI to shut down some of the U.S.-based
computers used in the attacks on the bookmakers. But without a U.S.
victim, the agency was unwilling to launch its own investigation.
It was a different story with the British authorities. After testing
the waters with the bookies in Latin America, the Russian gang had
turned to similar companies based in England and Australia, where
gambling firms are legal.
Soon almost every significant British betting firm had been hit at
least once, and the matter grew to be a top priority for the
London-based National Hi-Tech Crime Unit.
One of the first British firms to be targeted, CanBet Ltd., had turned
to the Hi-Tech Crime Unit in the fall and agreed to send traceable
money to a list of names in Latvia provided by the extortionists. The
unit sent a team to watch the pickup spots, along with local police,
and the crew was alarmed to see the Latvians pick up cash sent by
other businesses around the world.
"That was our first sign that this was big - where was all this money
coming from?" said Det. Supt. Mick Deets, deputy head of the Hi-Tech
In a meeting in Los Angeles with the FBI and British agents, Lyon
passed along what he and his team had learned. "They were of
significant assistance," Deets said.
The ultimate "gotcha" came shortly after the L.A. meeting, when the
hacker eXe used that same handle on an IRC network that listed a
private e-mail address for him. Other records showed that the domain
name in that e-mail address - "security-system.cc" - was owned by an
"eXe made a HUGE mistake!" Lyon crowed in a March 13 e-mail to the
Hi-Tech Crime Unit and the FBI.
Armed with the results from the money trail and Lyon's information,
the British authorities went to the Russian Interior Ministry and
suggested several arrests, including that of Maksakov, who lived in
Saratov. In late July, police picked him up, along with a 23-year-old
St. Petersburg man and a 24-year-old in Stavropol. Two other suspects
are being sought.
Most known members of the ring are students who communicated entirely
online, Interior Ministry spokesman Anatoly Platonov said.
The group had taken in hundreds of thousands of dollars in extortion
money, Deets said. Including lost profits at the bookmakers, at least
two major banks and other targets, the ring caused about $90 million
in damage, Platonov said.
Lyon has mixed feelings about the sting against Maksakov, who told
Lyon he made only $2,000 a month for fairly sophisticated work. "It's
not going to get better with one or two kids put in prison," Lyon
But that's good for his new business, Prolexic Technologies Inc.,
which is based in Hollywood, Fla. His sting operation for BetCRIS
produced a dozen clients. Prolexic is on track to bring in $2 million
Alexei V. Kuznetsov of The Times' Moscow Bureau contributed to this
More information about the ISN