Man charged with $1 million extortion hack at oDesk

He allegedly took over oDesk's domain name account and threatened to publish information on the Internet

Robert McMillan (IDG News Service)
Comments

An Indian man has been charged with breaking into a company's Internet domain name registration account as part of a US$1 million extortion attempt.

Chetan S. Bendale, of Pune, India, was indicted on computer hacking and extortion charges Thursday at the U.S. District Court for the Northern District of California in San Jose.

Two years ago he allegedly took over the MyDomain.com account of technology staffing firm oDesk and changed the password and administrative contact. On July 18, 2009, after oDesk had been locked out, Bendale starting sending oDesk executives "a series of threatening e-mails demanding that the company pay him one million dollars or he would sell oDesk's information or release it on the Internet," according to the grand jury indictment in the case.

To prove he had access to oDesk's account, Bendale e-mailed company executives a list of the more than 70 domains they had registered, along with the last four digits of one executive's credit card number, according to the indictment. Using the assumed name Rohit Kumar, he "claimed to have hacked oDesk's servers and demanded to be paid in exchange for information that would prevent future intrusions," the indictment states.

On Friday, oDesk said no user information had been compromised by the hack. "We will continue to work with law enforcement to ensure that the person who unlawfully accessed our domain registry in 2009 is held accountable for their actions," the company said.

ODesk isn't the only company to have had its domain name account hacked. Last year, a group calling itself the Iranian Cyber Army took over similar accounts belonging to Baidu and Twitter. These type of attacks can cause big problems for victim companies. Once hackers take over domain name accounts they can reroute Web traffic and e-mail to servers under their control.

Since 2009, domain name registrars have stepped up their security in hopes of making these attacks more difficult.

A warrant has been issued for Bendale's arrest and U.S. authorities "will be seeking his extradition," according to U.S. Department of Justice spokesman Joshua Eaton.

MyDomain.com did not return messages seeking comment for this story on Friday. News of the incident was first reported Thursday by the San Jose Mercury News.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cybercrimeinternetlegalU.S. Department of JusticeInternet-based applications and servicesoDesk

More about Department of JusticeEatonEatonIDGMercury Group

Show Comments
[]