Super Bowl fuels gambling sites’ extortion fears

In recent years, online sports betting parlors or “sports books” have fast supplanted the shadowy world of “bookies,” or professional bet takers in the U.S., Canada and Europe, growing into a multibillion dollar industry, despite official disapproval from Washington, D.C. lawmakers and U.S. religious conservatives.

But with the biggest sports-wagering event of the year, the U.S. National Football League’s (NFL’s) Super Bowl, just days away, proprietors of many online sports books are worried more about their bandwidth than betting patterns, and wondering whether their biggest day of the year will also be their last day in business.

With little notice by law enforcement or the outside world, online sports betting parlors, or sports books, have suffered a plague of sustained distributed denial-of-service (DDoS) attacks in recent months that have knocked some Web sites offline for days or weeks. Other sites have been forced to pay protection money to keep their gambling operations online, and criminals are turning up the heat in preparation for the NFL’s biggest game of the season on Sunday, according to interviews with those familiar with the problem.

“I expect that on Sunday, during the Super Bowl, you’re going to see a lot of (sports betting) Web sites down. I know it for a fact. Everybody’s scared.” said Ido Raviv, company manager at Netgames Inc. of Belize City, Belize, which runs the Yahoops.com online sports book.

The trouble usually starts with an ominous e-mail and a sudden and unmanageable surge in Internet traffic, according to Amran Pena, an information technology consultant in San Jose, Costa Rica, who works with online sports books to secure their networks.

“Your site is under an attack and will be for this entire weekend. You have a flaw in your network that allows this to take place,” according to a copy of such an e-mail provided to IDG News Service.

For sports book Web site operators, the e-mail messages offer stark choices:

“You can ignore this email and try to keep your site up, which will cost you tens of thousands of dollars in lost wagers and customers, or you can send us $40k by Western Union to make sure that your site experiences no problems,” the message continues.

“They know that if they just send the e-mail, you won’t think it’s real. You’ll trust in your servers and bandwidth. But when you’re already down, the effect of the e-mail is much bigger and maybe you’ll be more willing to pay,” Yahoops’ Raviv said.

The amount demanded varies on the sports book’s size, ranging from $10,000 for small sites to $40,000 or more for larger operations, Pena said.

Typically, those behind the attacks offer “insurance” for a set period of time to companies that pay the extortion, he said.

For companies that ignore the threats, the online attackers wait for weekends and other high volume betting days to launch DDoS attacks, using thousands of compromised computers on the Internet to flood the target site with traffic, according to Pena, Raviv and others.

“This is almost identical to a Mafia protection racket,” said Dave Matthews, site administrator of Las Vegas Advisor, an online publication serving the gaming industry. (See: http://www.lasvegasadvisor.com.) “It’s the same as going into the store and saying ‘pay me and I’ll guarantee your store won’t burn down for a year.’ It’s just more high tech.”

The DDoS attacks plaguing online sports books began over a year ago, with intermittent attacks against larger sports book operations such as Pinnaclesports.com and Caribsports.com, Raviv said.

“At first it seemed like every week they chose one target and you’d hear about a sports book going down,” he said.

In the last four months, however, the volume of attacks and the number of sports books attacked have both increased. DDoS attacks are now an almost daily occurrence against at least one online sports book, and pressure is mounting as Super Bowl Sunday approaches, Matthews said.

“Just this weekend there were six or seven books attacked at the same time,” he said.

Those targets included www.bluegrasssports.com and www.betcascade.com, a reputable sports book that is used by many professional gamblers, Matthews said.

Bluegrasssports.com could not immediately respond to questions, and a spokesperson at Betcascade.com declined to comment.

However, many online sports books’ home pages show evidence of the attacks. Some now highlight toll-free numbers for placing bets and offer advice to bettors who cannot place wagers using their Web browser.

“Both phone and Internet traffic will be at a maximum on Sunday and we still do not know what the Internet Pirates next move will be,” reads a message on the homepage of Betcascade.com. The site lists phone numbers for wagering “if for what ever reason the Internet connection is un-available.”

These attacks are part of a new trend of e-commerce business extortion, including financial services companies as well as online gaming sites, according to Paul Lawrence, general manager at Top Layer Networks Inc. of Westboro, Massachusetts, which sells technology to thwart DDoS attacks.

The problem was unheard of a year ago, said Felicity Bull, a spokeswoman for the U.K.’s National High Tech Crime Unit. Now the agency is investigating several extortion attempts against U.K. companies, all involving sports betting.

Online sports books have borne the brunt of the DDoS attacks and extortion attempts in recent months because the sites are attractive targets, Lawrence said.

Unlike large financial services companies, most online sports books are small operations that often lack technical expertise. They are also flush with cash. Larger sites might keep anywhere from $300 million to $400 million on hand to cover bets, Las Vegas Advisor’s Matthews said.

The extortionists are also aided by the fuzzy legal status surrounding online sports betting operations, which are often located in Central America or the Caribbean to escape U.S. laws against sports betting, Matthews said.

Because they are located outside U.S. jurisdiction, the companies have little legal recourse against the extortion attempts, Matthews claimed.

“Do you think (U.S. Attorney General) John Ashcroft is going to come to the aid of some sports books that are being attacked? They could give a ‘you know what’ about them,” Matthews said.

Worsening the situation, some prominent sports books initially paid off the attackers to keep their sites online, encouraging more attacks, Matthews said.

Calls to the U.S. Federal Bureau of Investigation regarding the DDoS attacks were not returned.

There is widespread belief among bookmakers and gamblers that those responsible for the attack are located in Russia or Eastern Europe, beyond Western law enforcement’s reach, according Lawrence, Pena and others.

To stop the attacks, larger and more sophisticated sports books are using technology to fight back.

Lawrence said that the DDoS attacks have been a boon for Top Layer, which installed eight to 10 of their Attack Mitigator hardware appliances in the last month.

“I just received three new inquiries this morning that are urgent and need to be done now because of the Super Bowl,” Lawrence said.

Top Layer even offers emergency service for companies under attack.

“We send guys out on a plane with an (Attack Mitigator) box under their arm and they install it mid-flow,” he said.

At Yahoops.com, technical staff responded to attacks by working with their Web hosting provider to increase the bandwidth to their site to make it harder to knock offline, Raviv said.

The company also developed an internal solution called a “dispatcher,” which is modeled on technology used by distributed computing company Akamai Technologies Inc. and dynamically moves the Yahoops.com Web site between different IP (Internet Protocol) addresses to sidestep attacks, he said.

If nothing else, the sustained attacks might force collaboration in an industry long characterized by fierce competitiveness and mutual suspicion, according to Matthews.

“Companies are going to have to work hard and spend money to upgrade their computers. And they’re going to have to share information. They have a common goal and they have to help each other to find a solution,” he said.