Paddy Power is not alone in suffering at the hands of cyber criminals. Onlinecrime is big business - and it's growing, writes Conor Pope.
There are no bodies bundled into moving cars, no threats of physical violence and no staccato telephone calls being traced by granite-faced, chain-smoking detectives. There is nothing, in fact, but a sudden surge in visits to your website followed by a short e-mail threatening to continue directing bogus traffic your way unless a ransom is paid.
Welcome to crime in the 21st century. On the night of February 4th, the online arm of Paddy Power's bookmakers, paddypower.com, was rendered temporarily inaccessible after it was flooded with requests for information. The following morning the company received a ransom demand.
Paddy Power is not alone in being targeted by a Distributed Denial of Service (DDOS) attack. Last week, a police conference in Britain was told cybercrime had cost companies in the UK hundreds of millions of pounds in lost revenue in 2003.
"While it is too early to put an accurate figure on the total financial impact for UK businesses, all the indicators suggest that we are talking about billions rather than millions," Len Hynds, head of Britain's National High-Tech Crime Unit (NHTCU), told the e-Crime Congress in London.
The biggest target is the financial sector - three financial services firms in Britain reported cybercrime-related damages totalling more than £60 million last year, the congress heard.
Another target is bookmakers. For more than a year, criminals have been threatening to paralyse bookies' websites before major sporting events with a DDOS attacks.
Launching such attacks is not hard because, despite what many people think, computers are not smart. If you send a message to a website saying hello it is duty bound to respond. If you send a message saying hello one hundred times it will respond one hundred times.
By sending thousands of messages from one computer requesting a large amount of information from another, cyber criminals can run the crudest of DDOS attacks. They don't even have to write the code to do it as that can be readily found online.
Once a DDOS starts and a website is flooded with information requests, it becomes almost completely jammed. The potential cost for e-commerce operations, particularly time-critical businesses such as bookmakers, is hundreds of thousands of euros.
It was such an attack which rendered paddypower.com almost inaccessible. "It was like 100 people trying to get in the door of a bookies at exactly the same time," a Paddy Power spokesman says. "Some people were able to get in but most couldn't."
The following day Paddy Power received an e-mail demanding a relatively small sum, between €10,000 and €420,000, or the DDOS attack would be repeated. As soon as the e-mail was received, the bookmakers contacted the gardai and the NHTCU in London, as the company's Web server is on the Isle of Man.
At least four other bookmakers have also been targeted this year. "It is not a Paddy Power issue, nor is it a betting issue. This could happen to any company which deals in e-commerce," says a company spokesman.
People in the gambling fraternity are now offering short odds on cyber criminals attacking bookies' sites in the run up to the Grand National. But Paddy Power is hopeful it will escape. "We have contacted our service provider and they have assured us that they have remedied the problem," the spokesman says. "We can never say never but the experts are working to protect us."
Protection is immensely difficult given the nature of the attacks, according to George Walker, ireland.com chief software engineer. "Defence has to be done on a case-by-case basis. There is no sure-fire way of protecting your system," he says. "The fact that sites like Yahoo! and CNN can be brought down by DDOS attacks, shows how hard it can be to protect your business."
Just how difficult protection can be is illustrated by the response of WorldPay - a firm that administers online payments - to a sustained attack late last year. The company, which is owned by the Royal Bank of Scotland, had no option but to change its web server's address to halt the assault - the computer equivalent of changing your telephone number because of repeated obscene calls.
Another problem in the fight against cybercrime is the absence of legislation offering protection. Earlier this week, the Netherlands became one of the first European countries to address the problem with a move towards compliance with the Cybercrime Convention signed in 2001 by the Council of Europe, the US and Japan but yet to come into force.
The Dutch government published draft legislation targeting those behind DDOS attacks. Soon, anyone who distributes messages intending to overload networks or crash computers risks a one-year jail sentence, because the effects "can be even more devastating than a computer break-in", a government spokesman said.
The Minister for Justice, John O'Donoghue, signed the Cybercrime Convention in 2002 but the Government has yet to ratify it and will be unable to do so ahead of legislative changes to be proposed in an upcoming Criminal Justice Bill.
While DDOS attacks are a costly and often criminal nuisance, they are not what keep cyber-cops awake at night. Viruses and worms pose a much more severe threat to Internet welfare. The Sobig worm which did the rounds last year is just one that is causing international concern.
It was released on six separate occasions in 2003 and each time it shut down after a few days or weeks. Every time it reappeared, it had been modified slightly, suggesting that a single individual was behind the code. "It was a set of well controlled experiments," security expert Mikko Hypponen told the New York Times recently.
When it last appeared in August it was programmed to install a back-door enabling the anonymous author seize control of a victim's computer. The motivation behind the Sobig author's actions are unclear. It is believed the culprit is based in Asia and experts fear a major attack on networks sometime this year.
It has been widely reported that the criminals behind the Paddy Power attack were a shadowy organisation also from the east. The truth of this has been impossible to ascertain as the cybercriminal leaves no paper trail. All that is certain is that the threat posed is real and growing.