Tuesday, May 24, 2005

And we know where your children go to school

In this brave new electronic world, a new form of extortion has evolved: pay up or we’ll crash your site.
May 24, 2005

Denial of Service!

Let’s say you are running a lucrative web site, popping along raking in the dough when you get an email message. Either you pay $40,000 or we’ll block traffic to your site, the message says. What do you do? In most cases, the answer to this new kind of extortion is to pay the money and move on. This, of course, means that the extortionists will go on to someone else and do the same thing, or they’ll come back to get you again.

A man named Mickey Richardson, who runs one of the off-shore gaming sites, BetCris.com, that operate out of Costa Rica to avoid U.S. gambling laws, got such a message at the end of 2003. “Your site is under attack…. You can send us $40k, by Western Union and your site will be protected not just this weekend but for the next 12 months. If you chose not to pay…you will be under attack each weekend for the next 20 weeks, or until you close your doors.”

And sure enough, his site immediately crashed.

In a chilling story worthy of a novel, a website called CSOonline, which caters to computer network security people, reports what happened next. Click on the headline to read it.

The message come just as BetCris was entering its most profitable time of year with football, basketball and the holidays coming up. If the site came down, the losses would amount to $1.16 per second, $100,000 a day. The method of attack was denial of service attack (DoS) in which hackers flood the site with legitimate messages the servers have to deal with, causing a traffic jam that clogs everything to a halt. Think of the entrances to Fenway Park if 200,000 people tried to get in at one time.

Now having a gambling site in Costa Rica go down is not a major concern to most of us unless we work there or gamble. But as Scott Berinato, who wrote the piece points out, internet extortion is now moving on to more respectable sites, including payment services. It is becoming a major white-collar crime the Mafia never thought of.

In this case, and possibly in many of the others, the extortionists were in Eastern Europe, probably Russia, where the laws are rather flabby.

What did Richardson do? After considerable soul-searching, he hired a 23-year-old computer security whiz and former philosophy major named Barrett Lyon in Sacramento. Lyon once mapped the entire Internet in one day on a bet. Lyon had a plan. The company stalled while he set up a channel with the help of a kindly ISP in Arizona to divert the traffic sent to BetCris, scrub out the hackers’ flood, and then send the legitimate traffic on to Costa Rica. He was acting as a filter. It wasn't easy. Every time Lyon got enough bandwidth to handle the hacking, the hackers increased the deluge. It was like being at the receiving end of a fire hose. A war of attrition erupted that at one point not only threatened to knock BetCris out of business but kill the ISP’s business as well. The hackers used zombies, computers they had already hacked—yours and mine, for instance [well, yours if you use Windows]—to generate the traffic, and at one point were blasting 3 gigs of data at BetCris, hoping to flood Lyon's diversion. They attacked everything from mail to routers to servers. Fix one problem and there would be an explosion someplace else.

What happened? Lyon and Richardson eventually won by overpowering the DoS attack and the hackers moved on to easier marks. In the end, it cost Richardson far more than it would have had he just paid the extortionists. But that's only half the story. Lyon was able to track down the extortionists with the help of Scotland Yard. They are in jail in Russia. He is now in the business of replicating his techniques for others under attack by extortionists and has multiple customers and his own servers and a company called Prolexic Technologies. The war continues.

Great story.

[And thanks, again, to Jonathan Beard, who apparently reads these obscure magazines for fun.]

Meanwhile, CNET reports another embezzlement scheme. Hackers visit your website and if it contains code that takes advantage of a flaw in Microsoft's Internet Explorer [nobody, repeat nobody should be using IE at this stage], it blasts onto your PC [Trojan.Pgcoder] and encrypts your files. A message pops up offering to give you the password to decrypt your files. It is like breaking into your house, changing the combination on the safe and holding the contents for ransom. Naturally, it takes advantage of Microsoft files in Office.

No comments: