Extortion Online

It's the kind of E-mail that grabs you by the collar and doesn't let go. On a Saturday afternoon last January, a message hit the in-box of BetCBSports.com, threatening to knock the online gambling site offline in prime sports-betting season if the company didn't pay up.

"You have 3 choices. You can make a deal with us now before the attacks start. You can make a deal with us when you are under attack. You can ignore us and plan on losing your Internet business," the E-mail read.

It was no bluff. Within three hours, the site was taken down by what's known as a distributed denial- of-service attack. The first attack lasted five minutes and then ceased. "They were showing us what they could do," says Thomas Burns, who runs the business-technology systems for what's now known as WagerWeb.com, operated by CasaBlanca Gaming.

Such threats happen more often than most people realize. A survey by Carnegie Mellon University's H. John Heinz III School of Public Policy, in conjunction with InformationWeek's Summer Research Fellowship, found extortion attacks are surprisingly common: 17% of the 100 companies surveyed say they've been the target of some form of cyberextortion. The study, authored by graduate student Gregory M. Bednarski, queried small and midsize businesses about cyberextortion and other types of computer fraud.

The findings come as no surprise to FBI special agent Thomas Grasso, who helped with the study. "The majority of the cybercrimes we investigate involve some type of monetary motivation," Grasso says. "This business of people going out and compromising sites just to prove how much they know is a myth."

WagerWeb was knocked offline for about a day, says Dan Johnson, senior VP and senior oddsmaker at the site. Rather than pay off the attackers, the company called on its technical forces to build a defense and enlisted the help of Internet security-services provider Prolexic Technologies Inc. The vendor's services, at about $100,000 a year, aren't cheap. But, "I'd rather pay the $100,000 than pay the extortionists," Johnson says. The gamble paid off. "As soon as we got the service running, the attack stopped," technology manager Burns says.

Cyberextortion mostly travels under the radar, but not always. Earlier this year, Myron Tereshchuk, 42, of Maryland, pleaded guilty to one count of attempting to extort $17 million from intellectual-property company MicroPatent LLC. He faces up to 20 years in jail. Tereshchuk threatened to leak confidential information and launch denial-of-service attacks against intellectual-property attorneys worldwide if he wasn't paid.

In January, Thomas Ray, 25, of Mississippi, was indicted for allegedly claiming to have found a security flaw in Best Buy Co.'s systems and threatening to expose and exploit that flaw unless he was paid $2.5 million. A trial is expected this fall. And last year, Kazakhstan hacker Oleg Zezev was sentenced to 51 months for illegally entering Bloomberg L.P.'s systems and threatening to disclose the break-in if he wasn't paid $200,000.

Most extortion plans fail. According to Carnegie Mellon's survey, 70% of those threatened with extortion say the attempts were unsuccessful.

But it's a growing problem nonetheless. Networks with anywhere from a couple of hundred to tens of thousands of compromised systems that can be used to launch distributed denial-of-service attacks have increased sharply this year, says Vincent Weafer, senior director of Symantec Corp.'s Security Response service. The vendor tracks these attack networks, which are set up by "criminals who want to use them for profit," Weafer says. In six months, they've swelled from 2,000 to more than 30,000, he says.

Small and midsize businesses often believe cyberextortionists aren't interested in them because they're too small, with 68% of the companies in the Carnegie Mellon survey responding that they're at no or low risk. But Bednarski warns that's false comfort. "Being a small company may actually increase your risk," he says. "The extorters are scanning the Internet for vulnerable systems, and it's no skin off of their nose to send out letters demanding $5,000. If 10% of the companies pay, the extortionist is sitting pretty."

Moreover, many companies aren't taking necessary precautions. Only 21% of companies in the Carnegie Mellon study have formal training programs to teach employees how to respond to security breaches, and only 37% have performed security assessments in the past six months.

Perhaps more unsettling: 45% of companies express a lack of confidence in their technical department's ability to respond to security incidents. "More companies clearly need to raise their security posture," Symantec's Weafer says.

Otherwise, they may find themselves scrambling in the midst of an attack, as WagerWeb did. Now, the online site is better prepared to stand firm against a threat, should one arise. Says Johnson: "We won't give in."