DDOS Attack Extortionists Targeting Online Gambling Sites in Recent Weeks

The never-ending battle between online commerce accessibility and extortion attempts by organized-crime elements has returned to the general sphere of online gambling in recent weeks.  It’s an old, old problem, almost as old as the Internet itself, and every year or two public knowledge of a new wave of attacks against gambling-related sites emerges.

Several recent feature stories and corporate postings indicate that yet another wave of such DDOS (Distributed Denial of Service) attacks has been occurring, seeking to block customer traffic to online websites until the sites pay the extortionists’ demands to stop the attacks.

Among the sites and networks known or alleged to have suffered such attacks in recent weeks are Unibet, Betfair, PokerStars (which now offers far more than just poker across its European market), Winamax, TonyBet, and even a small Malta-based operation called Betat that operates a handful of tiny, very-grey-market sites targeting largely US-based players.  (Given that Betat is a long-term spamming operation that has recently begun sending cell-phone text spam to its own set of victims, it’s hard to get too worked about that one, but they’re on the list nonetheless.  In this author’s opinion, spamming is itself its own form of theft.)

Traditionally, sports betting sites have been targeted by such extortionists in the days and weeks prior to major sporting events, such as the FIFA World Cup or American football’s Super Bowl.  The modus operandi behind the extortionists has always been the threat of denying service to these companies’ online portals during their peak periods.  A typical DDOS extortion attack typically employs networks of thousands of corrupted computers, all infected by viruses without their owners’ knowledge, being manipulated by the attackers to send repeated bursts of online traffic to the targeted sites.

Since even the largest online sites have limits as to how much bandwidth they have available at any given moment, such attacks — and the targeted sites’ responses to them — have long been an ever-escalating cat-‘n-mouse game, in which the sites and their Internet services employ ever-stronger methods to block the bogus traffic, while the attackers themselves add more and more weapons and ways of generating bogus traffic to clog the sites.

One of the sad parts of online commerce’s history is that quite often, the companies being targeted have paid the blackmail.  Paying blackmailers is of course, in no one’s best long-term interest; it’s a prime example of a theory called “the tragedy of the commons.”

The blackmailers themselves have, traditionally, originated from Eastern European countries, often with the tacit approval of local government officials.  Such rings have been busted in the past in Russia (more than once), Poland and the Ukraine, but the cost of living in the these countries’ major metropolitan centers often exceeds what computer programmers are often paid, leaving wide swaths of technically-skilled Internet coders with incentive to earn income in less-legal ways.

Sports betting sites aren’t also the only entities targeted.  Online-poker sites are even more frequently targeted, as are major MMP gaming sites.  Because of the high interactivity and dedicated connection to host servers that these gaming forms require, they’re even more susceptible in some ways than sports betting operations.

Other commerce channels are often targeted as well, particular those that have been shown to be profitable in generating large amounts of small- to medium-sized payments and transactions.

One of the latest twists, according to the reports recently published, is an increasing insistence by the extortionists to be paid via Bitcoin or similar largely-anonymous virtual currencies.  According to a CalvinAyre.com, tiny Betat paid 10 Bitcoin (about US $2,200) to the extortionists to stop the attack.

There’s little indication that the attacks will stop any time soon.  The various Eastern European governments have generally shown little interest in getting involved in cases and crimes that don’t involve their own country’s commerce, and the criminals have, for the most part, steered clear of major Eastern European sites.  Non-governmental groups such as Anonymous have occasionally shown interest in pursuing the criminal groups, though little has come of those efforts as well.

Much like shoplifting, DDOS attacks are a crime which eventually costs all of us money.  The blackmail paid to the criminals eventually gets added in some form to the fees charged to legitimate customers on other bets.  Some day perhaps, major governments will unite to find a way to put these criminals out of business for good.

But as the recent headlines attest, we’re not there yet.