The first known wave of threats came last September, with cyber-mafiosi using massive spam attacks to slow betting sites, then following up with bland e-mails asking for payments to “fix the problem.” Since then, according to British authorities and industry executives, virtually every major Internet betting site from the Caribbean to Australia has been hit, including those based in Britain, the international hub of online bookmaking. In October, these extortion rackets became the second of two major investigations for Britain’s National Hi-Tech Crime Unit (the other is “spoofing”–phony sites set up to steal credit-card numbers and other personal information). Now, the authorities say, this is shaping up as one of the biggest seasons ever for online betting–and for cyber-extortion, as well–with all the usual summer sports events topped by the Athens Olympics.
The weapon of choice for cyber-extortion is what techies call a Distributed Denial of Service attack (or DDoS), which commandeers other computers and bombards a Web site with millions of messages and requests, slowing it to the point of collapse. Such attacks began a few years ago and have been used against various targets–including Microsoft–with occasional success for a range of criminal, ethical and personal reasons. As more and more computers are connected to the Internet via broadband, the DDoS threat grows. But so do the defenses of big corporations like Microsoft and well-insured banks. In response, extortion rings are targeting online casinos in part because they have typically not been as well secured, and cannot afford disruptions during times of heavy gambling.
Internet betting exchanges now take in more than $5 billion a year worldwide, according to British authorities. Betfair.com, the largest British site, generates as much as $160 million in revenue on a busy week. At BetWWTS.com, based in Antigua, where an average weekend turns over roughly $5 million, CEO Simon Noble says his servers began to slow down dramatically on a busy Saturday morning in September. Gamblers couldn’t place their bets. His in-house techies were at a loss. After about 20 minutes of chaos and confusion, Noble received an e-mail: “Dear wwts, As you can see your site is under attack. We have found a problem with your network.”
The attackers demanded that Noble send $40,000 via Western Union. They promised they could stop the disruption and prevent it from happening again, as long as they got paid. “You will lose more than $40k in the next couple of hours if you do not resolve this problem,” they wrote. Noble refused, and his servers buckled under the flood of incoming messages from thousands of hijacked computers. The attack persisted in 20 minute bursts, and Noble says that as customers abandoned BetWWTS.com for other Web sites, he felt like shouting obscenities. He won’t comment on why his attackers disappeared, but speaking generally, says, “I think everybody who has been attacked has paid.”
Where did the attackers go? The high-tech crime unit is tight-lipped about any ongoing investigations. But a spokeswoman says the attacks usually trace to Eastern Europe, where laws on cyber-crime are lax. In a joint effort with Russian police, the unit last week arrested three men in different parts of Russia on charges of running an online protection racket.
Many Web sites admit to having suffered the extortion attacks, but will not discuss financial setbacks due to the cyber-assaults. Sites that have been brought down, or that have paid off the hacker-gangsters, are loath to make the news public for fear they will be perceived as either vulnerable or willing to pay, which could encourage the criminals. So the true monetary and technological scope of the extortion remains unclear. According to the crime unit, the arrested Russians alone had extorted hundreds of thousands of dollars from gambling sites.
It is cheaper to pay up than to mount a defense. The virtual-crooks operate outside the jurisdiction of the Web sites’ home countries, and use multiple and dummy IP addresses to cover their tracks. They also price their extortion demands intelligently; about $40,000 is typical. “They’re not asking for ridiculous sums of money. They’re very shrewd,” says Charles White, a computer forensics expert at Information Risk Management Plc. “It looks like a very close-knit group of individuals. That’s a virtue of organized crime, and that indicates it’s very serious.”
Online casinos are now spending heavily on new defenses. Noble estimates that BetWWTS.com has spent about $250,000 on security since the first attack. Another prominent British betting site, BlueSquare.com, consults with an Internet-security firm that can charge $2,000 per hour. But even 20 minutes of server downtime can cost millions in lost turnover, says Noble. “You have to do whatever it takes at that point,” he says. “I was ready to throw a lot of money at the problem.”
Normally ultracompetitive and secretive, the online-betting industry is starting to circle its wagons. Former rivals are beginning to share information about attack patterns, the originating IP addresses and defense strategies. Protective measures include greatly increasing server capacity, while lack of international cooperation in combating cyber-crime remains the biggest obstacle to stopping it. “The thing to overcome is to make politicians aware of the problem. They think it will go away. But I’m not convinced it will,” says Peter Pedersen, chief technology officer of BlueSquare.com. “It will get a whole lot worse [first].” And it’s a whole lot easier to dodge the law in cyberspace than it ever was in Vegas.
