Growing Number Of Hackers Attack Web Sites for Cash

[R.A. Hettinga]

<http://online.wsj.com/article_print/0,,SB110176932097886077,00.html?mod=home%5Fpage%5Fone%5Fus>

The Wall Street Journal


 November 30, 2004

 PAGE ONE


Virus for Hire
 Growing Number
 Of Hackers Attack
 Web Sites for Cash
Entrepreneur Asked a Team
 To Mastermind Strikes
 Against Rivals, U.S. Says
WeaKnees on Its Knees

By CASSELL BRYAN-LOW
Staff Reporter of THE WALL STREET JOURNAL
November 30, 2004; Page A1


On Oct. 6, 2003, an electronic attack overwhelmed the Web site of
WeaKnees.com, an online seller of digital video recorders. As the attacks
escalated over several weeks, the e-mail system was knocked out, customers
couldn't access the Web site, and the Los Angeles retailer says it suffered
about $200,000 in lost sales and costs for fixing the system.

U.S. law-enforcement officials who later investigated the electronic
assault came to a disturbing conclusion: It wasn't masterminded by a
typical hacker, motivated by the thrill of the crime. Instead, the attack
on WeaKnees appeared to be the work of a new breed of cyber-mercenaries who
are paid to unleash viruses.

The man who allegedly made that payment is Jay R. Echouafni, a 37-year-old
entrepreneur from Sudbury, Mass. Rebuffed by WeaKnees over a proposed
business deal, Mr. Echouafni attacked the company's Web site, according to
law-enforcement authorities.

In August 2004, Mr. Echouafni was indicted by a federal grand jury in Los
Angeles on charges of criminal conspiracy and launching destructive
computer attacks against WeaKnees and two other firms. Mr. Echouafni has
since fled, a prosecutor says. Five other defendants are named in a
criminal complaint for their alleged role in the attacks, but haven't yet
been indicted.


Traditionally, computer hackers have invented viruses primarily for the
sake of the bragging rights. But now hackers are mixing with fraudsters and
organized-crime rings, law-enforcement officials say. Increasingly viruses
are being used illegally for financial gain, and they are becoming part of
the modern criminal's toolbox.

"The things that used to be just nuisances have been picked up by financial
criminals," says Alan Paller, director of research at the SysAdmin, Audit,
Network, Security Institute, known as SANS, an organization for
computer-security professionals in Bethesda, Md.

The Internet's growth has led to a surge in cyber-crime, including identity
theft and online fraud. The Federal Bureau of Investigation ranks
cyber-criminals as its third-biggest priority after terrorists and spies.
The United Kingdom's National Hi-Tech Crime Unit has made more than 100
arrests related to major computer crimes since it was set up three years
ago.

The U.S. Department of Justice employs about 38 attorneys in its
computer-crime section, up from three a decade ago. About half focus on
viruses and other computer intrusions. The toll of viruses on business, in
terms of lost revenue and repair costs, could hit $17.5 billion this year,
up from an estimated $13 billion in 2003, according to Computer Economics
Inc., a research firm in Aliso Viejo, Calif.

It isn't known how much of that stems from financially motivated attacks,
but law-enforcement officials say that their frequency is rising sharply.
The growth in such attacks is driven by a new family of viruses that lets a
person control large numbers of computers in order to, say, attack a
corporate Web site.

About a year ago, a Russian gang started using a network of virus-infected
computers to shut down legitimate British gambling sites and blackmail the
operators into paying hundreds of thousands of pounds, according to the
U.K.'s high-tech crime unit.

Computer viruses are notoriously hard to track. Mr. Echouafni's trail, for
example, runs from Massachusetts and California to Germany and Britain.

In a phone call made recently from an unknown location, Mr. Echouafni
denied the federal charges. "I had nothing to do with the attacks," he
said. He said that he had been the target of Web attacks himself, and that
he had reported them to the FBI. Mr. Echouafni declined to comment further
on the allegations. A prosecutor confirmed that the FBI had received Mr.
Echouafni's report.

Jay Echouafni, who also goes by the first name Saad, is of Moroccan origin,
according to a U.S. prosecutor. A heavy-set man with green eyes, he came to
the U.S. as a teenager and became an American citizen, the prosecutor says.
Until recently, he lived in Sudbury, an affluent suburb of Boston, with his
wife and their three children. They occasionally returned to Morocco where
Mr. Echouafni maintained business interests, added the prosecutor. Mr.
Echouafni's company, Orbit Communications Corp., sold gear such as set-top
boxes that receive signals for satellite-TV systems, according to court
filings. He also dabbled in software development, the prosecutor says.

Former business acquaintances describe him as bright, hard-working and
computer-savvy. He could also be tough. "We had lots of problems with him,"
says Lee Taylor, chief executive of Perfect 10 Satellite Distributing Inc.,
a company in North Little Rock, Ark., that sold millions of dollars of
equipment to Mr. Echouafni over the past few years. Mr. Echouafni often
would badger the distributor's employees to lower their prices, according
to Mr. Taylor.

The case against Mr. Echouafni and his co-defendants is in its early stages
and not all the facts are known. Some alleged participants couldn't be
reached. But the case provides an early glimpse into the burgeoning world
of viruses-for-hire.

Business Proposal

In early 2003, Mr. Echouafni approached WeaKnees.com with a business
proposal: In a move that would have broadened his company's product range,
Mr. Echouafni wanted to distribute upgrade kits sold by WeaKnees, which
extend the recording time of digital video recorders, says Michael Adberg,
co-owner of WeaKnees. Mr. Adberg says he turned down the proposal in part
because he worried it would give Mr. Echouafni significant control over
WeaKnees's business.

Apparently annoyed by the rejection, Mr. Echouafni contacted Paul G.
Ashley, owner of a Powell, Ohio, company with whom he did business,
according to the indictment. Mr. Ashley's company rented out large
computers that run Web sites, the indictment says. Mr. Echouafni said that
some competitors were bothering him and asked Mr. Ashley to attack their
Web sites, according to the indictment and complaint.

Three companies were targeted, including WeaKnees and Rapid Satellite, a
Miami company that directly competed with Mr. Echouafni's business of
selling home satellite-TV systems, according to the indictment. Mr. Ashley
sent their Web addresses to Lee G. Walker, a business associate who lived
in the U.K., according to the complaint. Mr. Walker's weapon of choice for
the job was a piece of malicious computer code known as a bot virus, the
complaint alleges.

Richard Cline, a lawyer in Columbus, Ohio, for Mr. Ashley, said neither he
nor his client had any comment. Mr. Walker couldn't be reached.

With a bot virus, a single person can hijack the power of thousands of
far-flung computers. Security experts believe that most spam is sent using
bots. The approach makes it easy for cyber-criminals to cover their tracks
since they act through other people's computers. The popularity of
high-speed Internet connections that are always kept on has also promoted
the spread of bots.

In Internet chatrooms, access to bot-controlled computers can be purchased
for anywhere from a few cents to $1 per machine. Of the 100,000 viruses and
worms that exist in cyberspace, bots are among the fastest spreading. Two
years ago only 200 bot-virus variations existed; today, there are about
4,000, according to F-Secure Corp., a Finnish antivirus software maker.

Mr. Walker later confessed to law-enforcement officials that he used
computers infected with a bot virus named "Agobot," according to the
complaint. Its creator was Axel Gembe, an unemployed 22-year-old who named
the virus after his own nickname "Ago." Mr. Gembe is a self-taught computer
whiz from a modest background who lives near Germany's border with
Switzerland.

Mr. Gembe gained notoriety in the hacker world last fall for breaking into
the systems of a U.S. videogame developer, Valve Corp., and stealing code
for the sequel of a popular computer game called "Half-Life." Key parts of
the game were leaked via the Internet, causing millions of dollars in
damage, Valve says.

German police arrested Mr. Gembe in May for his alleged role in the theft
of the videogame code and for his involvement in the attacks that Mr.
Echouafni allegedly instigated. Mr. Gembe hasn't been charged with any
crime. Police say they are still investigating.

In an e-mail response to questions, Mr. Gembe admits to taking the
videogame code but denies leaking it. He also acknowledges writing Agobot,
but says that he doesn't know how Mr. Walker obtained the virus.

Mr. Walker used 5,000 to 10,000 hijacked computers to attack the WeaKnees
and Rapid Satellite sites, according to the U.S. complaint. After initial
assaults shut down the Web sites, Mr. Echouafni contacted Mr. Ashley by
phone and praised him and others for doing "a good job," according to the
indictment and a prosecutor. He also paid Mr. Ashley $1,000, the complaint
says. Mr. Echouafni acquired Mr. Ashley's company and retained him as a
systems administrator, for an annual salary of $120,000, according to the
indictment and criminal complaint. Mr. Ashley transferred $900 to Mr.
Walker in England, the prosecutor says.

Around the same time, Mr. Ashley allegedly recruited another hacker, Joshua
J. Schichtel from Chandler, Ariz., and asked him to launch his own attacks
against the Web sites, according to the criminal complaint, which also
names Mr. Schichtel as a defendant.

Pressing the Attack

"Destroy it...heheh," Mr. Ashley wrote Mr. Schichtel in an electronic
message, according to the complaint. When Mr. Schichtel told him that one
of the companies had changed network addresses six times, Mr. Ashley told
him to keep attacking the site, the complaint says. Mr. Schichtel couldn't
be reached for comment.

The attacks against WeaKnees ran from early October until mid-November
2003, according to the complaint. During that time, the Web site was
periodically shut down, making it difficult for customers to reach the
company, says WeaKnees.

In early October 2003, Rapid Satellite's site also was attacked. While Nick
Molina, chief executive of Rapid Satellite's parent, WebClick Concepts Inc.
of Miami, was struggling to get his systems running again, he says he
received an unusual call. Mr. Echouafni offered to host Rapid Satellite's
site for $5,000 a month. In an interview, Mr. Molina contends that Mr.
Echouafni wanted "to see the pain I was going through" and "extort money
from me."

The three target companies, in total, suffered more than $2 million in lost
revenue and costs, according to the complaint.

The FBI, meanwhile, traced digital fingerprints left by the hackers to the
company that Mr. Walker worked for, and then to Mr. Walker himself,
according to the complaint.

When U.S. and British law-enforcement agents interviewed Mr. Walker on Feb.
11, he admitted launching the attacks, according to the complaint. Three
days later, FBI agents searched Mr. Ashley's home in Ohio, and he, too,
confessed, according to the complaint.

Mr. Ashley, Mr. Walker and Mr. Schichtel are among five defendants named in
the criminal complaint. None of them has been indicted.

The FBI eventually gathered enough evidence to go after Mr. Echouafni. When
he learned about the Ohio search, Mr. Echouafni and his family flew to
Morocco, the FBI says. He and his wife returned to Boston on an Air France
flight on March 11, where he was arrested by waiting FBI officials, the
agency says.

Sometime after that, Mr. Echouafni jumped bail; prosecutors believe he has
fled the country.


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'