Something nasty was up. It was an autumn afternoon in the offshore gambling haven of Costa Rica. The banks of computers at online bookmaker Betcris.com whirred away, processing thousands of bets on the Cowboys, Patriots, and Buckeyes. All at once a flood of blank incoming messages inundated the computers, slowing traffic to a crawl. Within hours, the manager of Betcris.com, Mickey Richardson, received a threatening e-mail. The English was broken, but the message was clear: What he had experienced was a mere taste of a massive denial-of-service attack. If he wanted his computers to stay up and running through the football season, he was to wire a total of $40,000 to 10 different accounts in Eastern Europe.
This was the beginning of a wave of computer extortion that has raged through the $7.4 billion online-gambling industry for the past nine months. In that time hundreds of attacks have been launched against online casinos, say industry sources. Richardson, who refused to pay, struggled for three weeks to mount cyberdefenses as a digital shakedown gang subjected his network to escalating assaults. "They'd knock me down for a weekend, let me up on Monday, knock me down on Wednesday," he says. While Richardson held off, plenty of other online casinos in Costa Rica, the Caribbean, and Britain weighed the potential lost revenue and frayed customer relations -- and dealt out the protection money. "We had to pay it," says Kevin Martin, manager of eHorse.com, a Costa Rican operation that wired $30,000 to extortionists last fall.
With this step into extortion, denial-of-service attacks are becoming a lucrative racket. In the Web's early years, hackers unleashed similar attacks against the likes of Microsoft Corp. (MSFT )or the Recording Industry Association of America simply to strut their power or voice political grievances. Now they want cash. And online casinos make an easy first target. Illegal in the U.S., many are based in countries such as Costa Rica and Antigua, whose police are ill-equipped to battle sophisticated international cybercrime. Casino operators, some of whom face illegal gambling indictments in the U.S., grouse that the FBI does little to battle attacks against offshore gambling sites. The FBI declined to discuss the details of any investigations, but a spokesperson says that, as a matter of policy, "we pursue anything illegal on the Internet." Still, the U.S. agency keeps a far lower profile than its British counterpart. Online gambling is legal in Britain, and the country's National Hi-Tech Crime Unit leads the global hunt for these cybercriminals.
The extortionists may be just beginning to flex their muscle. Industry experts fear that they could soon target government operations, e-commerce companies, banks -- practically any organization with an online presence. While the worm attack that crippled Google Inc. and other search sites for hours on July 26 does not appear to be linked to extortion, it demonstrates that even the mightiest sites are vulnerable to floods of digital traffic. "It's only a matter of time before we have an extortion threat," says Peter J. Chambers, chief executive of Affinity Internet Inc., a Fort Lauderdale-based company that manages Web sites for 300,000 companies.
This rising menace will likely push companies both large and small to fortify their defenses against denial-of-service attacks. It also poses a growing challenge for police around the globe. On July 20, Russian authorities working with British police notched a notable success. Following a trail of payments, they arrested three Russians in St. Petersburg who were allegedly linked to online-gambling extortion. Still, experts say other syndicates carry on. "We've identified at least five groups, including two from China and one from the Middle East," says James B. Herrera, president of Portcullis Technologies Inc., a cyberdefense company based in Miami.
These groups assemble vast armies of computers for their attacks. They enlist them by reaching into unsuspecting homes, universities, and corporate cubicles worldwide. The first step is to locate poorly defended computers, preferably with always-on broadband connections. The world is teeming with them. Next they circulate viruses that place tens of thousands of target computers under their control. These are known as zombies. The extortionists then mobilize their zombies to bombard the target server with torrents of requests for information. There are about a dozen variations of these denial-of-service attacks. But all of them either overtax the processing power of the servers at the gambling sites or jam up pipelines. The result is digital gridlock, effectively shutting down communications between the site and its customers.
For a gambling site, a shutdown before the Super Bowl or the Kentucky Derby can spell disaster -- lost revenue, angry customers, and a bad reputation. Each site has a high period of vulnerability, and gambling execs say the extortionists play these to a tee. They hammered American-oriented casinos during football season, hit horse bookmakers just as Smarty Jones bid for the Triple Crown at the Belmont Stakes, and stepped up attacks on European sites during June's soccer championships in Portugal.
Since last fall, hundreds of casinos have hurried to build defenses. Now an entire industry is responding to serve this growing market. Companies such as Cisco Systems (CSCO ), Juniper Networks, (JNPR ) and Top Layer Networks, a Boston area company, sell hardware to block these attacks. But the boxes, which average about $50,000, don't do the trick alone. So new service companies, such as Portcullis and DigiDefense International, are gobbling up contracts to customize defenses. They divert attacks onto their own networks, where they filter out the malicious messages.
Last fall's attack on Betcris.com provided a sobering look at the extortionists' power. For three frantic weeks, the attacks grew in force by a factor of 60. Richardson exchanged more than 100 e-mails with his assailants, who continued to raise their ransom demands. Finally, the hackers turned their attention elsewhere. Since then, says Richardson, his defenses have fended off further attacks.
The digital gangs' greatest vulnerability is when they collect the ransom. Last November, British police helped arrest 10 suspects in Latvia charged with collecting payments from British sites. "They were the mules who were just picking up the payments," says Colin Walker, general manager of Canbet, one of the British gambling sites that sent money to Latvia. Those low-level couriers, according to the police, provided information that led to the Russian arrests in July. For now it's in distant locales that these extortion battles are raging. But chances are this scourge won't stay offshore for long.
By Stephen Baker in New York, with Brian Grow in Atlanta