Global gangsters are extorting money from online
casinos with a novel threat: we'll spam you to death
It's been 60 years since Bugsy Siegel and his
cronies ran Vegas, but gangsters are back in the
gambling game, big time. Only now, rather than seeking
control of real casinos, they are extorting cash from
virtual casinos, which are both the fastest-growing
sector of the vast global gambling industry and, by
some estimates, the biggest revenue producer of any
online business. In short, hoods are going after
gambling Web sites because that's where the money is.
The first known wave of threats came last September,
with cyber-mafiosi using massive spam attacks to slow
betting sites, then following up with bland e-mails
asking for payments to "fix the problem."
Since then, according to British authorities and
industry executives, virtually every major Internet
betting site from the Caribbean to Australia has been
hit, including those based in Britain, the
international hub of online bookmaking. In October,
these extortion rackets became the second of two major
investigations for Britain's National Hi-Tech Crime
Unit (the other is "spoofing"—phony sites
set up to steal credit-card numbers and other personal
information). Now, the authorities say, this is
shaping up as one of the biggest seasons ever for
online betting—and for cyber-extortion, as
well—with all the usual summer sports events topped
by the Athens Olympics.
The weapon of choice for cyber-extortion is what
techies call a Distributed Denial of Service attack
(or DDoS), which commandeers other computers and
bombards a Web site with millions of messages and
requests, slowing it to the point of collapse. Such
attacks began a few years ago and have been used
against various targets—including Microsoft—with
occasional success for a range of criminal, ethical
and personal reasons. As more and more computers are
connected to the Internet via broadband, the DDoS
threat grows. But so do the defenses of big
corporations like Microsoft and well-insured banks. In
response, extortion rings are targeting online casinos
in part because they have typically not been as well
secured, and cannot afford disruptions during times of
heavy gambling.
Internet betting exchanges now take in more than $5
billion a year worldwide, according to British
authorities. Betfair.com, the largest British site,
generates as much as $160 million in revenue on a busy
week. At BetWWTS.com, based in Antigua, where an
average weekend turns over roughly $5 million, CEO
Simon Noble says his servers began to slow down
dramatically on a busy Saturday morning in September.
Gamblers couldn't place their bets. His in-house
techies were at a loss. After about 20 minutes of
chaos and confusion, Noble received an e-mail:
"Dear wwts, As you can see your site is under
attack. We have found a problem with your
network."
The attackers demanded that Noble send $40,000 via
Western Union. They promised they could stop the
disruption and prevent it from happening again, as
long as they got paid. "You will lose more than
$40k in the next couple of hours if you do not resolve
this problem," they wrote. Noble refused, and his
servers buckled under the flood of incoming messages
from thousands of hijacked computers. The attack
persisted in 20 minute bursts, and Noble says that as
customers abandoned BetWWTS.com for other Web sites,
he felt like shouting obscenities. He won't comment on
why his attackers disappeared, but speaking generally,
says, "I think everybody who has been attacked
has paid."
Where did the attackers go? The high-tech crime unit
is tight-lipped about any ongoing investigations. But
a spokeswoman says the attacks usually trace to
Eastern Europe, where laws on cyber-crime are lax. In
a joint effort with Russian police, the unit last week
arrested three men in different parts of Russia on
charges of running an online protection racket.
Many Web sites admit to having suffered the extortion
attacks, but will not discuss financial setbacks due
to the cyber-assaults. Sites that have been brought
down, or that have paid off the hacker-gangsters, are
loath to make the news public for fear they will be
perceived as either vulnerable or willing to pay,
which could encourage the criminals. So the true
monetary and technological scope of the extortion
remains unclear. According to the crime unit, the
arrested Russians alone had extorted hundreds of
thousands of dollars from gambling sites.
It is cheaper to pay up than to mount a defense. The
virtual-crooks operate outside the jurisdiction of the
Web sites' home countries, and use multiple and dummy
IP addresses to cover their tracks. They also price
their extortion demands intelligently; about $40,000
is typical. "They're not asking for ridiculous
sums of money. They're very shrewd," says Charles
White, a computer forensics expert at Information Risk
Management Plc. "It looks like a very close-knit
group of individuals. That's a virtue of organized
crime, and that indicates it's very serious."
Online casinos are now spending heavily on new
defenses. Noble estimates that BetWWTS.com has spent
about $250,000 on security since the first attack.
Another prominent British betting site, BlueSquare.com,
consults with an Internet-security firm that can
charge $2,000 per hour. But even 20 minutes of server
downtime can cost millions in lost turnover, says
Noble. "You have to do whatever it takes at that
point," he says. "I was ready to throw a lot
of money at the problem."
Normally ultracompetitive and secretive, the
online-betting industry is starting to circle its
wagons. Former rivals are beginning to share
information about attack patterns, the originating IP
addresses and defense strategies. Protective measures
include greatly increasing server capacity, while lack
of international cooperation in combating cyber-crime
remains the biggest obstacle to stopping it. "The
thing to overcome is to make politicians aware of the
problem. They think it will go away. But I'm not
convinced it will," says Peter Pedersen, chief
technology officer of BlueSquare.com. "It will
get a whole lot worse [first]." And it's a whole
lot easier to dodge the law in cyberspace than it ever
was in Vegas.
|
