PhD Student Arrested in Blackmail Attempt

Another e-commerce company has been blackmailed by a computer criminal.

FBI Wednesday arrested a 36-year-old PhD candidate at Colorado State
University, in connection with an attempted extortion plot against Audible Inc.

Nelson Robert Holcomb is charged with sending a series of threatening emails
last month to the New Jersey-based Audible, which sells downloadable
spoken-audio content and has investors including Microsoft Corp. and Compaq Computer Corp.

Using a anonymous Hotmail account, Holcomb, a graduate student in the
chemistry department at CSU, allegedly claimed he had discovered a way to
download Audible’s content for free, and threatened to alert the media about
the vulnerability unless Audible met his demands.

Audible relies on the “One-to-One” ecommerce and content-delivery software
from BroadVision Inc. Other customers using the same technology for their
web sites include HomeDepot, American Airlines, Cyberian Outpost, Circuit
City,, and Sears.

Audible representatives did not respond to interview requests. A BroadVision
spokesperson confirmed that Audible was a customer, but was not aware of the
case prior to being contacted by InternetNews.

According to Elias Levy, chief technology officer for security information
firm, there are no widely-known security vulnerabilities
in BroadVision’s
products. Unlike ecommerce software from smaller providers, which have
recently been found to contain security holes, expensive packages like
BroadVision’s are not subject to the same kind of probing by hackers,
according to Levy.

“They are large and complex packages that usually don’t provide a free
download you can test. That’s not to say they are worse or better than other
software, but they haven’t been audited by the people who usually poke at
software to find problems,” said Levy.

According to the criminal complaint filed by the U.S. Attorney in New
Jersey on May 23rd, Holcomb essentially delivered himself on a silver
platter to the FBI.

In an e-mail ransom note on April 29th, a person calling himself “Tupelo”
demanded, in exchange for his silence, cash equal to the value of the
Audible site’s content, a new Volvo station wagon, two Diamond Rio digital
audio players, and unlimited, free downloads of Audible content.

The company agreed by e-mail on May 2 to all but the cash demand. The next
day, a person using an account at Colorado State University e-mailed back to
Audible, identifying himself as Rob Holcomb, giving a Fort Collins phone
number and mailing address for delivery of the ransom merchandise. Holcomb
later also allegedly sent a fax to Audible from a machine in the CSU
chemistry department.

FBI agents subsequently arrested Holcomb Wednesday at his home. If convicted
of the extortion charge, he could face two years in federal prison and a
fine of 250,000 dollars.

Last January, an attacker calling himself “Maxus” attempted to extort
$300,000 from online music seller CDuniverse in exchange for information
about a security hole at the site that enabled him to steal several hundred
thousand customer records, including credit card numbers. When CDuniverse
refused to pay, Maxus posted 25,000 of the credit card numbers at his web
site. The FBI investigation of that case is still ongoing.

While it’s possible that Holcomb may simply have been bluffing about having
found a security hole at the Audible site, according to the U.S. Attorney’s
complaint, Holcomb has been ordered by a Denver judge not to disseminate any
information about the victim company.

News Around the Web