[ISN] Feds thwart extortion plot against Best Buy

From: InfoSec News (isn@private)
Date: Wed Jan 07 2004 - 04:32:08 PST

  • Next message: InfoSec News: "Re: [ISN] Computer sleuths ply Internet"

    Forwarded from: William Knowles <wk@private>
    
    http://www.startribune.com/stories/535/4304797.html
    
    David Phelps
    dphelps@private
    Star Tribune 
    January 7, 2004 
    
    Federal authorities said Tuesday they thwarted an extortion plot
    against Best Buy Co. Inc. by a man who sent the company an e-mail
    threatening to expose what he claimed were weaknesses in the
    retailer's computer system unless he was paid $2.5 million.
    
    Thomas E. Ray III, a 25-year-old Jackson, Miss., resident, made his
    first Minnesota court appearance Tuesday before U.S. Magistrate Judge
    Earl Cudd. He pleaded not guilty and was released on $10,000 bail.
    
    Ray faces two felony charges of making extortion threats to damage
    property or reputation and extortion threats to damage computers. He
    is being represented by Minneapolis attorney Rick Petry.
    
    He was indicted in federal court in Mississippi in mid-December and
    accused of making a series of threats in October to Richfield-based
    Best Buy about the security of its BestBuy.com site. No security
    breaches were made into the system, Best Buy said.
    
    Federal investigators became involved after security officials at Best
    Buy contacted federal authorities about the demands. The Minnesota
    CyberCrime Task Force also took part in the investigation, as did
    America Online and Netscape, Internet service providers that Ray used.
    
    According to the indictment, Ray made the e-mail demands to Best Buy
    under the name and Internet address of "Jamie Weathersby, IPC Corp."
    
    According to an FBI search warrant, the first e-mail demand came on
    Oct. 16. It said there was a flaw in Best Buy's Web site that would
    allow the sender to "review all customer accounts and assume complete
    ownership of www.bestbuy.com by moving it to another register or
    server."
    
    The e-mail also offered to establish an unspecified business
    relationship between the sender and Best Buy, adding: "Without your
    response, we are obligated to share the security hole with the public
    for their protection. As a result, Best Buy may experience a loss in
    business, thefts and lawsuits."
    
    The search warrant, which had been kept under court seal until this
    week, said a Best Buy employee attempted to respond to gain more
    information from the sender but could not locate any firm called IPC
    Corp.
    
    A second e-mail came the next day offering "a step-by-step summary of
    how we were able to penetrate your Web site" for $2.5 million. If Best
    Buy did not agree to the deal, the e-mailer said he would list all of
    Best Buy's customers and their credit card numbers on BestBuy.com.
    
    Best Buy then contacted the e-mailer and on Oct. 22 received another
    demand for $2.5 million. The money would have to be paid by Oct. 24 or
    Best Buy customer information would be posted online Oct. 27, the
    e-mailer said.
    
    The federal search warrant was obtained the morning of Oct. 24 and
    allowed the FBI, with Best Buy's cooperation, to use an Internet
    device known as an Internet Protocol Address Verifier. It contained a
    program that automatically sent back a response to Best Buy after the
    company sent a message to the e-mail address. The response allowed
    investigators to identify Ray as the sender of the e-mail threats,
    according to the government.
    
    Assistant U.S. Attorney Paul Luehr said the address verifier was one
    of several investigative tools the government used to track Ray down.
    
    "It was a tool that helped us confirm that other leads were moving in
    the same direction," said Luehr, who declined to discuss details of
    the investigation.
    
    Ray faces a maximum of two years in prison and a $250,000 fine for
    property and reputation extortion. He faces a maximum sentence of five
    years in prison and a fine of $250,000 for threats to damage
    computers.
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jan 07 2004 - 06:38:28 PST