E-commerce Firm 2Checkout Reports DDoS Extortion Attack

E-commerce firm 2Checkout, which processes credit card payments for online merchants, says it has been hit with a distributed denial of service ((DDoS) attack after it rebuffed an extortion attempt. The 2Checkout site experienced rolling outages from the attack, which began on April 9 and was still ongoing as of April 16, according to a statement on the company's web site.

"2Checkout continues to fight an extortion based ('Pay us or else we will continue to attack') DDOS attack," the company said earlier this week. "We apologize for any service interruptions. Rest assured that our full staff in addition to some consultants are working relentlessly in conjunction with our providers to combat and minimize any effects of the attack."

2Checkout is widely used by small web hosting companies, especially resellers who need to accept credit cards but don't have their own merchant account. The Columbus, Ohio company's turnkey order processing system allows customers to open online stores for a $49 setup fee and a percentage of each charge, and pays merchants twice a month. 2Checkout says it processed more than $100 million in transactions in 2003, and more than $53 million thus far this year.

The DDoS at 2Checkout follows a string of attacks on UK-based online gambling sites. Several online casinos have admitted making payments to cyber-extortionists. Some who have refused to pay, including the Irish bookmaker Paddy Power, say their operations were subsequently disrupted by DDoS attacks.

2Checkout was being hosted by Time Warner Telecom when the attack commenced, but has since shifted to a dedicated server at SBCHost (Ameritech Electronic Commerce). "We believe we have this under control at this time," the company said in an April 16 update.