RealTime IT News

PhD Student Arrested in Blackmail Attempt

Another e-commerce company has been blackmailed by a computer criminal.

The FBI Wednesday arrested a 36-year-old PhD candidate at Colorado State University, in connection with an attempted extortion plot against Audible Inc.

Nelson Robert Holcomb is charged with sending a series of threatening emails last month to the New Jersey-based Audible, which sells downloadable spoken-audio content and has investors including Microsoft Corp. and Compaq Computer Corp.

Using a anonymous Hotmail account, Holcomb, a graduate student in the chemistry department at CSU, allegedly claimed he had discovered a way to download Audible's content for free, and threatened to alert the media about the vulnerability unless Audible met his demands.

Audible relies on the "One-to-One" ecommerce and content-delivery software from BroadVision Inc. Other customers using the same technology for their web sites include HomeDepot, American Airlines, Cyberian Outpost, Circuit City, Pets.com, and Sears.

Audible representatives did not respond to interview requests. A BroadVision spokesperson confirmed that Audible was a customer, but was not aware of the case prior to being contacted by InternetNews.

According to Elias Levy, chief technology officer for security information firm SecurityFocus.com, there are no widely-known security vulnerabilities in BroadVision's products. Unlike ecommerce software from smaller providers, which have recently been found to contain security holes, expensive packages like BroadVision's are not subject to the same kind of probing by hackers, according to Levy.

"They are large and complex packages that usually don't provide a free download you can test. That's not to say they are worse or better than other software, but they haven't been audited by the people who usually poke at software to find problems," said Levy.

According to the criminal complaint filed by the U.S. Attorney in New Jersey on May 23rd, Holcomb essentially delivered himself on a silver platter to the FBI.

In an e-mail ransom note on April 29th, a person calling himself "Tupelo" demanded, in exchange for his silence, cash equal to the value of the Audible site's content, a new Volvo station wagon, two Diamond Rio digital audio players, and unlimited, free downloads of Audible content.

The company agreed by e-mail on May 2 to all but the cash demand. The next day, a person using an account at Colorado State University e-mailed back to Audible, identifying himself as Rob Holcomb, giving a Fort Collins phone number and mailing address for delivery of the ransom merchandise. Holcomb later also allegedly sent a fax to Audible from a machine in the CSU chemistry department.

FBI agents subsequently arrested Holcomb Wednesday at his home. If convicted of the extortion charge, he could face two years in federal prison and a fine of 250,000 dollars.

Last January, an attacker calling himself "Maxus" attempted to extort $300,000 from online music seller CDuniverse in exchange for information about a security hole at the site that enabled him to steal several hundred thousand customer records, including credit card numbers. When CDuniverse refused to pay, Maxus posted 25,000 of the credit card numbers at his web site. The FBI investigation of that case is still ongoing.

While it's possible that Holcomb may simply have been bluffing about having found a security hole at the Audible site, according to the U.S. Attorney's complaint, Holcomb has been ordered by a Denver judge not to disseminate any information about the victim company.