March 15, 2013

It’s not often that one has the opportunity to be the target of a cyber and kinetic attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home.

Well, as one gamer enthusiast who follows me on Twitter remarked, I guess I’ve now “unlocked that level.”

Things began to get interesting early Thursday afternoon, when a technician from Prolexic, a company which protects Web sites (including KrebsOnSecurity.com) from denial-of-service attacks, forwarded a strange letter they’d received earlier in the day that appeared to have been sent from the FBI. The letter, a copy of which is reprinted in its entirety here, falsely stated that my site was hosting illegal content, profiting from cybercriminal activity, and that it should be shut down. Prolexic considered it a hoax, but forwarded it anyway. I similarly had no doubt it was a fake, and a short phone call to the FBI confirmed that fact.

Around the same time, my site came under a series of denial-of-service attacks, briefly knocking it offline. While Prolexic technicians worked to filter the attack traffic, I got busy tidying up the house (since we were expecting company for dinner). I heard the phone ring up in the office while I was downstairs vacuuming the living room and made a mental note to check my voicemail later. Vacuuming the rug near the front door, I noticed that some clear plastic tape I’d used to secure an extension cord for some outdoor lights was still straddling the threshold of the front door.

Fairfax County Police outside my home on 3/14/13

Fairfax County Police outside my home on 3/14/13

When I opened the door to peel the rest of the tape off, I heard someone yell, “Don’t move! Put your hands in the air.” Glancing up from my squat, I saw a Fairfax County Police officer leaning over the trunk of a squad car, both arms extended and pointing a handgun at me. As I very slowly turned my head to the left, I observed about a half-dozen other squad cars, lights flashing, and more officers pointing firearms in my direction, including a shotgun and a semi-automatic rifle. I was instructed to face the house, back down my front steps and walk backwards into the adjoining parking area, after which point I was handcuffed and walked up to the top of the street.

I informed the responding officers that this was a hoax, and that I’d even warned them in advance of this possibility. In August 2012, I filed a report with Fairfax County Police after receiving non-specific threats. The threats came directly after I wrote about a service called absoboot.com, which is a service that can be hired to knock Web sites offline.

One of the reasons that I opted to file the report was because I knew some of the young hackers who frequented the forum on which this service was advertised had discussed SWATting someone as a way of exacting revenge or merely having fun at the target’s expense. To my surprise, the officer who took my report said he had never heard of the phenomenon, but promised to read up on it.

One of the officers asked if it was okay to enter my house, and I said sure. Then an officer who was dressed more like a supervisor approached me and asked if I was the guy who had filed a police report about this eventuality about six months earlier. When I responded in the affirmative, he spoke into his handheld radio, and the police began stowing their rifles and the cuffs were removed from my wrists. He explained that they’d tried to call me on the phone number that had called them (my mobile), but that there was no answer. He apologized for the inconvenience, and said they were only doing their jobs. I told him no hard feelings. He told me that the problem of SWATting started on the West Coast and has been slowly making its way east.

The cop that took the report from me after the incident said someone had called 911 using a Caller ID number that matched my mobile phone number; the caller claimed to be me, reporting that Russians had broken into the home and shot my wife. Obviously, this was not the case, and nobody was harmed during the SWATing.

Update, Apr. 29, 2013: As I noted halfway through this follow-up post, the police officer was misinformed: The 911 call was actually made via instant message chats using a relay service designed for hearing impaired and deaf callers, *not* via a spoofed mobile phone call.

Original story:

It’s difficult to believe the phony FBI letter that Prolexic received, the denial-of-service attack, and the SWATting were somehow the work of different individuals upset over something I’ve written. The letter to Prolexic made no fewer than five references to a story I published earlier this week about sssdob.ru, a site advertised in the cybercrime underground that sells access to Social Security numbers and credit reports. That story was prompted by news media attention to exposed.su, a site that has been posting what appear to be Social Security numbers, previous addresses and other information on highly public figures, including First Lady Michelle Obama and the director of the FBI.

Interestingly, there are strong indications that a site named booter.tw may have been involved in the denial-of-service attack on my site yesterday. For some bone-headed reason, the entire customer database file for booter.tw appears to be available for download if you happen to the know the link to the archive. A search through that record shows that on Thursday afternoon Eastern Time, someone paid booter.tw to launch a series of denial-of-service attacks against my Web site. The account that paid for the attack used the nickname “Starfall,” using the email address “starfall@gmail.com.”

Update, Mar. 16, 8:09 a.m. ET: It seems that I and several other folks who looked at the SQL file from booter.tw made the same mistake in misreading the table: The account that ordered the DDoS against KrebsOnSecurity.com was not Starfall but instead one that used the nickname “countonme,” and the email address “countonme@gmail.com.”

A screen grab of booter.tw

A screen grab of booter.tw

Thursday morning, Dan Goodin, a good friend and colleague at Ars Technica, published a story about my ordeal after a late night phone interview. Shortly thereafter, Ars Technica found itself on the receiving end of a nearly identical attack that was launched against my site on Thursday. Turns out, the records at booter.tw show clearly that a customer named “countonme” using that same Gmail address also paid for an attack on Arstechnica.com, beginning at approximately 11:54 a.m. ET. A snippet of the logs from booter.tw showing the attack on Ars Technica.com (a.k.a. ‘http://50.31.151.33‘ in the logs) is here.

According to Eric Bangeman, Ars Technica’s managing editor, their site was indeed attacked starting earlier this morning with a denial-of-service flood that briefly knocked the site offline.

“We’ve been up and down all morning, and the [content management system] was basically inaccessible for 2 hours,” Bangeman said, adding that he wasn’t aware of an attack of similar size that knocked the site offline. “If it did, it wasn’t enough to be registering in my memory, and I’ve been around for 10 years.”

I have seen many young hackers discussing SWATing attacks as equivalent to calling in a bomb threat to get out of taking exams in high school or college. Unfortunately, calling in a bomb threat is nowhere near as dangerous as sending a SWAT team or some equivalent force to raid someone’s residence. This type of individual prank puts peoples’ lives at risk, wastes huge amounts of taxpayer dollars, and draws otherwise scarce resources away from real emergencies. What’s more, there are a lot of folks who will confront armed force with armed force, all with the intention of self-defense.

The local police departments of the United States are ill-equipped to do much to stop these sorts of attacks. I would like to see federal recognition of a task force or some kind of concerted response to these potentially deadly pranks. Hopefully, authorities can drive the message home that perpetrating these hoaxes on another will bring severe penalties. Who knows: Perhaps some of the data uncovered in this blog post and in future posts here will result in the legal SWATing of those responsible.

This is a fast-moving and ongoing story. I will most likely update this post or file a follow-up sometime in the next 24-48 hours as more details and events unfold. Thanks to all those readers who’ve expressed concern for my safety and well-being via emails, Twitter and the blog: Your support and encouragement means a great deal. And a special note of thanks to security expert Lance James for his assistance in poring over the booter.tw logs.


199 thoughts on “The World Has No Room For Cowards

  1. Goran Froderberg

    Writing to You from Sweden, where we are at economic cyber-war, depending on Telia-Sonera initiated and funded, worthless security systems! The ‘Babylon’ virus, that was planted, 2011-01-31, as a recommended uppdating, for Windows Explorer and Microsoft Vista
    and Windows 7! Went into ‘attac’ mode 2011-09-08, time
    12.12, and robbed bank-customers of millions! I designed
    counter measures, each time, the terrorists altered, Adere Modem Systems. Now I blew the 7 version apart,
    with a cyber-grenade, from my 103 C REMO tank!
    With regards: Goran Froderberg Genlt/M.Sc.
    HKV:MUST Sweden

  2. Goran Froderberg

    So, I congratulate You, on Your courageous work, and that the Lord will continue to watch over You and Your
    near and dear ones!
    From an ice-cold Sweden: Greetings Goran

  3. Troy

    Glad you and the family are ok, sir! Wow… the world has no room for cowards… good lord, you are doing some good work! Thanks again and God bless.

  4. Debbie Kearns

    I had no idea that these hackers manipulated the FBI into attempting to arrest you for fraud while at the same time trying to shut down your website and Ars Technica’s website for posting the truth about you. I appreciate your valiant efforts, and I thank you, Brian Krebs. God bless you. 🙂

      1. EJ

        I believe Debbie is referring to the FBI hoax letter, in which case she has her facts straight.

        1. Professor Plum

          Letter or not, The FBI was not manipulated in any way.

  5. TaskForce717

    Brian you reached out and hit someone’s nerve again keep the great work up bro . Sooner or later the bad guys will get caught . Stay in touch 🙂 .

    1. Starfall

      “Sooner or later” is usually sooner. These kinds of guys typically are not smart and are just using (as in this case) tools provided by others.

      countonme = definition of skid

      1. Fr3d J0n3s

        Says the person who enlisted the “tools provided by others”?

        Pot. Kettle. Black, andy?

  6. scamFRAUDalert

    Brian,

    We can relate to your ordeal. These thugs have decided to employ every available arsenals against anyone who reports on their activities in order to intimidate them.

    Expect to be hit with some bogus lawsuits that is if you have not yet been sued.

    Keep up the good work.

    1. Steve Alfred

      laughable – I google your name. You are a scam!! You are really Archie Richardson. I see you all over the internet like RipffReport.

      Get off the internet you loser!

  7. CooloutAC

    WOW, thats right they can’t scare you. I hope they catch these guys. Its great that you are exposing what so many people go through all the time. That people in authority, even in this day and age, don’t believe actually happen because they dont’ hear about it happening except in science fiction movies.

    You the man.

  8. peter

    A fundamental problem here is that your caller ID can be so readily spoofed.

    Tightening up caller ID should be one of the first things that the FCC requires of all phone carriers.

    1. Dagobert

      hi….

      how can individuals spoof caller ids in public phone networks and use them to call anyone? are there any information on this topic available?

      thanks in advance, dago

      1. DF

        Shouldn’t your question be “How can I prevent/mitigate someone from spoofing my caller id?” Otherwise it seems you are just asking “How can I SWAT someone?”

        1. Dago

          @Brian: preventing was in my mind, but to prevent you need to know how it works, right? so i’m absolutley not interessted in SWATing someone. I’m stunning about the fact that a caller id can be faked and I’m interested in the technical background. So don’t front me, I have no evil intentions.

          1. SeymourB

            I once interviewed for a job at a company who routinely changed their caller id to read “Ford Motorsport,” “General Motors,” as well as other automotive manufacturers since they thought it was more likely people would pick up the phone. Nothing like having automotive retiree parents getting alarmed because a third party is calling in their ex-employer’s name.

            There really should be penalties for even minor spoofing of Caller ID (like that company), and some security implemented to allow authorities to trace back to the actual perpetrator of the faked call.

            1. Alo

              Sadly, it’s all too easy to spoof caller ID. Most of the spoofing services provided have a T1 PRI connected to a Telco and use Asterisk to modify the contents of the ISUP message. This won’t affect the call since the actual voice is carried lower in the SS7 protocol stack.

  9. Reow

    Nobody would be stupid enough to do all three of these things to you – they’re just leaving too much of a trail. It’ll be a competition between script kiddies to see who can screw you the best. Whoever SWATted you just won thanks to you publishing this.

    1. JCitzen

      Bull shit! Public exposure will always shed light on the rats in the shadows, who always run upon exposure! We will find crust like you and put you down – mark my words @ss hole!

    2. AlphaCentauri

      Someday we’ll be at the point where the best response may be to not provide them any publicity, but not at this point. There are still too many people who don’t know what SWATting is. Articles like this may save the life of some other victim who finds armed police outside his door, if the police and victim both know about this practice and come to the situation with some skepticism. The initial contacts are very tense moments for all involved, and can quickly escalate even in cases of mistaken identity:
      http://en.wikipedia.org/wiki/Amadou_Diallo_shooting

    3. AlphaCentauri

      Also, a lot of the people Brian exposes are only concerned about his affect on their income stream. They believe themselves beyond the reach of any law enforcement entity that would care what they do to a Westerner.

  10. saucymugwump

    First and most important, it is good to hear that no one was hurt and that the police realized their mistake after only ten minutes.

    Anyone who actually read the “FBI” letter would understand that it was written by someone with no knowledge of the law and/or law enforcement. The portion “we are authorized to get a warrant” is pure geekster, as the first anyone would know that the FBI has obtained a warrant is when they appeared outside your door. The portion “I further declare under penalty of perjury” is not something a law enforcement officer would write in this context. An FBI agent would not spell “patriot Act” without a capital ‘P’. And where’s the title, e.g. Special Agent, for “Richard Miller”?

    Keep up the good work. The world’s losers are bothered by it.

  11. Doc

    Time for a new cellphone number, w/ no forwarding… 🙂

  12. d3ad0ne

    An interesting note about the countonme@gmail.com email address is that if you do the password recovery option on it it has another email tied to it ” m•••••••••••••a@gmail.com” since each “•” is single character it may be safe to assume that this is the persons actual first/last name.

    Also the sha256 hash used to register on the booter.tw “e8dc6863dfd3872801be5f3798fbb64eeff86c56fc21f5bde8abd01c24b2b132” is “countonme”.

  13. Jon

    Brian,
    You are a real trooper for withstanding the onslaught. Sounds like a movie script in the making.
    Jon

  14. Jon

    Brian,

    Can’t the police trace back the 911 call?

    Jon

    1. saucymugwump

      Tracing was so much easier pre-divestiture (1984) when the entire U.S. telephone network was one big company. Now it is a hodgepodge of cellular, Internet, landline, and who knows what else.

      Caller ID presents a real problem for our distributed telephone system, as one company cannot determine the validity of what another company is sending it.

  15. Nicole Beamer

    I can only imagine how frightening that must have been! Is this where we are headed in cyber crime? Cyber attacks that can lead to potential physical attact by a 3rd party [SWAT team, ect. though not their fault], but this scares me as it can happen to anyone.
    The threats have obviously gone up a very large notch and I am sorry you had to experience this in response to all that you do to help the public prevent online invasion.

    Maybe the police should start a task force to combat this new problem as it doesn’t sound like it is going to go away.

  16. Eric

    The Ars article did not make it clear that they called your mobile number. I’ll admit that detail surprised me a little bit.

    Don’t most municipalities have the ability to triangulate cell phone activity? Or can that data also be spoofed?

    1. Andrew

      “Don’t most municipalities have the ability to triangulate cell phone activity?”

      FWIW when the call is legitimate – violent crimes are in progress and the caller is in immediate danger – waiting for the boss to authorize the cost of the service and then for the guy who does it to get off lunch break isn’t really appropriate.

    2. JCitizen

      In many locals, even land line 911 calls are converted to packetized data using SIP(protocol) to VOIP, so the E-911 service can provide location information. In our area the LEO has the location data already in the dispatchers computer data base for land lines numbers. I would think the dispatcher would see contrary data, as I believe all cell phones or any E-911 call, reports the actual location – but the dispatcher might forget to cross-reference to reported location – if the number was believed to be from a land line. Perhaps a flag needs to be introduced to attract the operator’s eye to contrary information. But that would be another expensive retrofit to the Homeland Security model in our area, which I’m more familiar with.

      1. Alo

        If the calling party number is spoofed, then the E911 would display whatever the location associated with the faked number is. So this wouldn’t have prevented the problem.

        1. JCitizen

          Now that I read your previous comments, I can see why.

          The incident I was involved with was from a different kind of source, where a jail broke cell phone with a program downloaded from the internet provided the fake information.

          Maybe it uses the same technique, but at least my phone records showed that I indeed did not make the harassing calls from my land line.

          1. Alo

            Yeah, cellphones are much easier to track since that’s part of the underlying architecture of mobility management. I’ve only worked on GSM networks, but it’s roughly the same principle for CDMA.

            So, the E911 service hooked into a cellphone provider’s network is able to give much more accurate location data, even more so if the handset is E911 capable as well. And all of this works on the control plane which the user cannot modify normally. Disposable cell phones are one way to circumvent this, but spoofing the caller ID can’t be done as readily as with regular landline networks, and even if it’s done, it can still be traced to a particular handset and SIM card.

            1. JCitizen

              I do know that just a few years ago our local LEO built a local data base for everyone in the county that would show up automatically on the address with phone number. This was locally setup on the dispatcher computer. So as long as the computer thought it was a landline number, it would display the address automatically. However, I don’t know if those same POTs based numbers would show any E-911 service data, or if they switched over to it last year, as I have not talked to my LEO buddies about this lately. We mostly get in conversations about weapons – LOL!

  17. M'sGranny

    All my calls to 410-265-8080 ( suppose to FBI’s Baltimore filed Office). After given them everything I found of the Washington DC Bangladeshi ID and Mortgage theft Ring….. I gave them their email id, phone number, fake busniess name, even sent them my PI’s report !! including fake credit report, fake w2 form ADP, pay stub, charles shwab account summery, HGS Inc Fake pay stub……

    I found out in Sep 2012 that, the lady has been speaking to me as a duty agent of FBI, is ” Meriner Financial Inc, of Navada.” !!!

    My roommates changed her phone number 5 times in 2 months, and 4 different carrier, until she realized it is the same woman, answer the phone. A Ethopian/Philypino woman and the man is must be phylipino/vietnam. I have saved their voice mail.

    I could not pull DOJ webpage from Frederick County Court House Computer, my library card will always print double, and I will only recieved a print.

    Today, I called my attorney, and va-state bar to verify emails. I sent again, the same address as she was reading. The email did not go to them.

    All I did , attached this news form Post, and DOD recent arrest of a phone hacker !!!

    Which America I am living?

  18. M'sGranny

    I just read the FBi fake letter. I think you got attacked by the same people chasing me since I found them in Feb 2011..

    O My Gosh!! Please be aware of the LONDON ID, will email you more detail.

    The Hacker use California phone number that, she/he is abusniess resides in British Colombia , Canada, and a British Citizen, USA Health Care Investor.. woner of “Skilled Nursing Facilities” of LA, business does ot exit.

    The telephone business name is ” Inspire Mobile” from T-mobile..

  19. Sec Buff

    Brian,

    Glad you are safe. I hope the b*stards are found and flogged, as a public example, for endangering innocent life. This is a serious problem and political leaders are, as usual, AWOL.

  20. Selena

    Reading your article like reading and watching an action story.
    And… Glad you are safe now.

  21. Dan

    I’m surprised 911 services don’t use ANI instead of CID for number verification purposes. As already pointed out, CID is spoofable (client reported) where ANI is added by teleco equipment. My understanding of ANI is a bit limited, it may still be spoofable, but on the surface seems more reliable.

    1. JCitizen

      Good point. I obviously have a lot to learn about this aspect of INFOSEC.

  22. Michael Scheidell

    On the subject above about called id, I also feel that this is an abuse of technology that needs to be addresses. A previous company I worked at was a victim of caller id fraud. Not as dramatic as the swat team showing up, but it was an outbound ‘You visa number was compromised, call this toll free number’ type robo call.

    Seems the robo callers found out that you get more calls back when you use a legit phone number, than ‘unknown’.

    There needs to be laws put into place, and telco’s, clec’s and providers need to be made to enforce the rules with technology, however, there are real legit reasons to ‘forge’ a called it.

    If you are a large company and have several outbound providers, or hundreds of lines, you might want to use your main number as your outbound line.

    If I have google voice, skype number, cell phone number, and a company DID, I might want to be able to dial out of my cell/google/skype or cell using my company DID.

    If a company is doing outbound calling for, or on behalf of a partner, they need to be able to use the partner companies number as their caller id (again, you get more answers if the person you call recognizes the number).

    Still, this is a hole in the laws that needs to be addressed.

    If you have sip (viop) software on your smart phone or computer, you can sign up at almost any voip provider and specify your outbound caller id.

    For as little as .99 a month, and 1 cent a min, you call make outbound calls from the local police department, the fbi, the whitehouse, (or brian krebs!).

    Brian? are you going to be heading to the whitehouse soon to testify to congress ? 🙂

  23. Reliable Carder

    I am glad they did this to you. Leave the underground business alone. No one likes you fucking with them all the time. You are a big bully.

    1. saucymugwump

      “No one likes you fucking with them all the time. ”

      Here we have another little boy who thinks the entire world is filled with people just like him. If you bother to read the comments here, you will discover that the vast majority of people support Krebs and appreciate what he is doing to shed some light on bottom-feeders like you.

  24. Mark Collier

    It is so easy now to spoof calling number (a better term than caller ID). There are so many free, easy, anonymous ways to do this. You just can’t depend on the calling number to be authentic.

  25. Jess

    “The local police departments of the United States are ill-equipped to do much to stop these sorts of attacks.”

    I have to disagree here. SWAT is dangerous to those who are SWATted because SWAT is dangerous, period. The American public, and American police, both would be much safer and better-served without the idiotic practices that SWAT encourages. In fact in this case it seems the police were actually pretty sensible; it’s hard to reconcile this picture with most people’s experience of SWAT: 5AM pot raids that destroy property and pets while terrorizing families and trampling civil liberties.

Comments are closed.