May 10, 2004

Jay Broder, president of CSI Mid-South, also known as Card Solutions International, said the company received an e-mail in early April that threatened to cripple his site if he didn't send money. Broder assumed the e-mail, and another one sent the next morning, were idle threats among the spam he receives daily.

As a result of this, the FBI is investigating the owner's claim that his Web site was brought down for about a week, after he refused to pay $10,000 to a blackmailer who sent his threats via e-mail.

But on April 8, hours after the second e-mail threat, his site went down. It stayed down for most of the week, inaccessible by customers of his business, which processes online credit-card transactions.

A barrage of traffic apparently overwhelmed his Web site, much like repeated telephone calls to one number that result in busy signals. The attack, called a distributed denial of service, is typically pulled off by hackers who use computer programs to sneak through the Internet into unprotected computers, then use those computers to launch a traffic onslaught to one Web site.

"Because of the way computers work, when they get overwhelmed, they simply give up and shut down," said Jim Graham, director of the University of Louisville's Information Technology Resource Center, which provides support to emerging technology companies.

The traffic stopped when Broder changed Web hosting companies and got a new IP address, which is like an Internet phone number.

David Beyer, spokesman for the FBI in Kentucky, said his office opened an investigation two days after the CSI site, www.authorizeit.com, went down.

Beyer wouldn't comment on any specifics of Broder's case because it is still being investigated.

E-mail extortion threats, sometimes called cyberextortion, are new to the Louisville area, but they surfaced this year with online gambling sites in London.

Robert Richardson, editorial director for the Computer Security Institute in San Francisco, an educational group funded by technology professionals, said the gambling sites were threatened with extortion right before the Super Bowl, when they stood to lose huge amounts of money people couldn't bet.

The attacks are still being investigated. Tom Troutman, president of Louisville's Network Advocates, a company that provides information technology services, said it's rare to get a denial of service attack coupled with extortion — especially against a small company.

Richardson, too, said the only attacks he knew of that were tied to extortion were the ones against the online gambling companies.

"It takes a fairly concerted effort to mount a distributed denial of service attack," he said.

While denial of service attacks are increasing, targets have typically been large companies.

Yahoo was shut down for about three hours one day in February 2000. Ebay, Amazon.com, CNN.com and Buy.com all were attacked two days later.

At the time of the attack, Jeff Mallett, former Yahoo president and chief operating officer, said that the company's site was getting more fake traffic in one second than it sometimes gets in a year.

Instead of money, these criminals typically want fame, Richardson said. "It's a way of showing hacker power — jumping up and down and bragging to your friends to say you took down Johnny's Drug Store is not nearly as exciting as saying you took down the White House."

Broder said he's not sure why he was a target and doesn't know of anyone, in business or personally, who would be out to get him.

His clients are predominantly small businesses, and many are out of state. CSI Mid-South sells hardware and software to help companies with credit-card payment systems and also sets up e-commerce systems for businesses that want to sell online. Experts say denial of service attacks, unlike hacking situations, aren't an attempt to get sensitive information. They block legitimate information trying to get in

Broder said his hosting company, Hosting.com of Boston, told him he was the target of a distributed denial of service attack. Hosting.com officials did not return calls seeking comment.

The first e-mail Broder received said his site had been targeted for attack, and offered two scenarios for how he might proceed:

"You can ignore this e-mail and try to keep your site up, which will cost you tens of thousands of dollars in lost wagers (sic) and customers, or you can send us $10k by Western Union to make sure that your site experiences no problems," the e-mail read, adding that if the money wasn't sent, Broder's site would be attacked each weekend for the next 20 weeks, or until he went out of business.

The blackmailer later provided several names to whom Broder was supposed to send the money in Latvia.

Broder responded, threatening to turn the attacker in, and got this reply:

"Don't be stupid. Write to us when you will (sic) ready to pay." The attack began the next day. Though Broder's hosting company got the site back up for a little while, the flood into the Web site started again. After being down for almost a week, and arguing with his hosting company over costs of additional security, Broder changed hosting companies.

A week later, on April 15, his site was back up. It's been up since then. Broder said the new company, ValueWeb, said it had extra protection from attacks. But Broder also got a new IP address, and experts said the attacks might still be going to the old IP address.

Troutman said it's more common, however, for an attacker to target the domain name, so that the company couldn't get away from attacks unless it changed its site.

Richardson said it would be hard for a company the size of CSI Mid-South to totally protect itself from attacks.

"In this scenario, you don't have a lot of options," he said, because protection is too expensive or beyond the reach of most small-business owners.

The solutions, like buying more servers so the site would be harder to overload, are costly. And small-business owners typically don't have enough control over the systems to stop traffic before it floods them.

The FBI has had some success in tracking down people responsible for denial of service attacks, Beyer said. But experts say there are challenges, especially with experienced criminals. Though the header on an e-mail holds information about where it's coming from, the information has to be subpoenaed from the hosting company, and headers can be forged. Also, since attackers hide behind the infected computers, it's harder to find them.

Broder, who does 90 percent of his business through the Internet, said the problems have cost his business thousands of dollars through lost time and sales. Plus, he said the attack could have damaged his reputation with customers who tried to reach him and couldn't.

"When everything you do is e-mail and you can't e-mail, you have a problem," he said. Broder gets much of his e-mail through his Web site, which forwards e-mail to his regular inbox.

Now he's just trying to catch up on missed businesses. "I'm up and running, and that's all I care," he said. "But I hope they catch the gentleman — that's a nice way of putting it."

Source: Courier-Journal.com