It’s not often that one has the opportunity to be the target of a cyber and kinetic attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home.
Well, as one gamer enthusiast who follows me on Twitter remarked, I guess I’ve now “unlocked that level.”
Things began to get interesting early Thursday afternoon, when a technician from Prolexic, a company which protects Web sites (including KrebsOnSecurity.com) from denial-of-service attacks, forwarded a strange letter they’d received earlier in the day that appeared to have been sent from the FBI. The letter, a copy of which is reprinted in its entirety here, falsely stated that my site was hosting illegal content, profiting from cybercriminal activity, and that it should be shut down. Prolexic considered it a hoax, but forwarded it anyway. I similarly had no doubt it was a fake, and a short phone call to the FBI confirmed that fact.
Around the same time, my site came under a series of denial-of-service attacks, briefly knocking it offline. While Prolexic technicians worked to filter the attack traffic, I got busy tidying up the house (since we were expecting company for dinner). I heard the phone ring up in the office while I was downstairs vacuuming the living room and made a mental note to check my voicemail later. Vacuuming the rug near the front door, I noticed that some clear plastic tape I’d used to secure an extension cord for some outdoor lights was still straddling the threshold of the front door.
Fairfax County Police outside my home on 3/14/13
When I opened the door to peel the rest of the tape off, I heard someone yell, “Don’t move! Put your hands in the air.” Glancing up from my squat, I saw a Fairfax County Police officer leaning over the trunk of a squad car, both arms extended and pointing a handgun at me. As I very slowly turned my head to the left, I observed about a half-dozen other squad cars, lights flashing, and more officers pointing firearms in my direction, including a shotgun and a semi-automatic rifle. I was instructed to face the house, back down my front steps and walk backwards into the adjoining parking area, after which point I was handcuffed and walked up to the top of the street.
I informed the responding officers that this was a hoax, and that I’d even warned them in advance of this possibility. In August 2012, I filed a report with Fairfax County Police after receiving non-specific threats. The threats came directly after I wrote about a service called absoboot.com, which is a service that can be hired to knock Web sites offline.
One of the reasons that I opted to file the report was because I knew some of the young hackers who frequented the forum on which this service was advertised had discussed SWATting someone as a way of exacting revenge or merely having fun at the target’s expense. To my surprise, the officer who took my report said he had never heard of the phenomenon, but promised to read up on it.
One of the officers asked if it was okay to enter my house, and I said sure. Then an officer who was dressed more like a supervisor approached me and asked if I was the guy who had filed a police report about this eventuality about six months earlier. When I responded in the affirmative, he spoke into his handheld radio, and the police began stowing their rifles and the cuffs were removed from my wrists. He explained that they’d tried to call me on the phone number that had called them (my mobile), but that there was no answer. He apologized for the inconvenience, and said they were only doing their jobs. I told him no hard feelings. He told me that the problem of SWATting started on the West Coast and has been slowly making its way east.
The cop that took the report from me after the incident said someone had called 911 using a Caller ID number that matched my mobile phone number; the caller claimed to be me, reporting that Russians had broken into the home and shot my wife. Obviously, this was not the case, and nobody was harmed during the SWATing.
Update, Apr. 29, 2013: As I noted halfway through this follow-up post, the police officer was misinformed: The 911 call was actually made via instant message chats using a relay service designed for hearing impaired and deaf callers, *not* via a spoofed mobile phone call.
Original story:
It’s difficult to believe the phony FBI letter that Prolexic received, the denial-of-service attack, and the SWATting were somehow the work of different individuals upset over something I’ve written. The letter to Prolexic made no fewer than five references to a story I published earlier this week about sssdob.ru, a site advertised in the cybercrime underground that sells access to Social Security numbers and credit reports. That story was prompted by news media attention to exposed.su, a site that has been posting what appear to be Social Security numbers, previous addresses and other information on highly public figures, including First Lady Michelle Obama and the director of the FBI.
Interestingly, there are strong indications that a site named booter.tw may have been involved in the denial-of-service attack on my site yesterday. For some bone-headed reason, the entire customer database file for booter.tw appears to be available for download if you happen to the know the link to the archive. A search through that record shows that on Thursday afternoon Eastern Time, someone paid booter.tw to launch a series of denial-of-service attacks against my Web site. The account that paid for the attack used the nickname “Starfall,” using the email address “starfall@gmail.com.”
Update, Mar. 16, 8:09 a.m. ET: It seems that I and several other folks who looked at the SQL file from booter.tw made the same mistake in misreading the table: The account that ordered the DDoS against KrebsOnSecurity.com was not Starfall but instead one that used the nickname “countonme,” and the email address “countonme@gmail.com.”
A screen grab of booter.tw
Thursday morning, Dan Goodin, a good friend and colleague at Ars Technica, published a story about my ordeal after a late night phone interview. Shortly thereafter, Ars Technica found itself on the receiving end of a nearly identical attack that was launched against my site on Thursday. Turns out, the records at booter.tw show clearly that a customer named “countonme” using that same Gmail address also paid for an attack on Arstechnica.com, beginning at approximately 11:54 a.m. ET. A snippet of the logs from booter.tw showing the attack on Ars Technica.com (a.k.a. ‘http://50.31.151.33‘ in the logs) is here.
According to Eric Bangeman, Ars Technica’s managing editor, their site was indeed attacked starting earlier this morning with a denial-of-service flood that briefly knocked the site offline.
“We’ve been up and down all morning, and the [content management system] was basically inaccessible for 2 hours,” Bangeman said, adding that he wasn’t aware of an attack of similar size that knocked the site offline. “If it did, it wasn’t enough to be registering in my memory, and I’ve been around for 10 years.”
I have seen many young hackers discussing SWATing attacks as equivalent to calling in a bomb threat to get out of taking exams in high school or college. Unfortunately, calling in a bomb threat is nowhere near as dangerous as sending a SWAT team or some equivalent force to raid someone’s residence. This type of individual prank puts peoples’ lives at risk, wastes huge amounts of taxpayer dollars, and draws otherwise scarce resources away from real emergencies. What’s more, there are a lot of folks who will confront armed force with armed force, all with the intention of self-defense.
The local police departments of the United States are ill-equipped to do much to stop these sorts of attacks. I would like to see federal recognition of a task force or some kind of concerted response to these potentially deadly pranks. Hopefully, authorities can drive the message home that perpetrating these hoaxes on another will bring severe penalties. Who knows: Perhaps some of the data uncovered in this blog post and in future posts here will result in the legal SWATing of those responsible.
This is a fast-moving and ongoing story. I will most likely update this post or file a follow-up sometime in the next 24-48 hours as more details and events unfold. Thanks to all those readers who’ve expressed concern for my safety and well-being via emails, Twitter and the blog: Your support and encouragement means a great deal. And a special note of thanks to security expert Lance James for his assistance in poring over the booter.tw logs.
Sounds like tactics of Brett Kimberlin and Neal Raushauser but I’m sure there are others.
Brian,
It’s easy for me to say, but keep up the good work. You’re playing the role of John McClain in this particular battle.
Amazing story , damn the Russian miscreants
I’m not ready to point the finger at any source yet; but I think Brian deserves some kind of award from Congress on his gallant service to the community! Maybe they could come out with a CYBER WARRIOR medal?
(I hope this doesn’t post twice, I lost my previous post)
That .sql dump is crazy interesting. Nice countermove, throwing that in there. Lots of people digging out some rainbow tables right now …
Brain,
This story is amazing, when things from the digital word come creeping out the internet tubes in to your real life ..
Keep up the great work and good luck!!
Glad your OK! #HangInThere!!
You must be doing a very good job, Brian, otherwise they would ignore you.
Keep up the good work 🙂
jb
Incredible story. It’s a reminder of the risks that people like Brian Krebs take in their security-related work on behalf of all of us. So many people benefit without any knowledge of what happens behind the scenes to keep them safe.
Thanks for doing what you do.
Scamdex got a week-long dDos attack back in mid-December that only stopped when I took down a scam tip at the request of some Russian – here is his message:
“Remove the following thread: http://www.scamdex.com/ScamTipReports/6080 or we will erase you from the internet. You have until 10am.
From Russia with love.”
gotta love those guys!
What a Funny story . laughing my pants off .)))
Life is sh*t Brian .
Imagine one day they will hack some kind of a LASER from out of space ( like in James Bond movie ) and it will destroy your house and your car just like that with a click of a mouse . Scary but im afraid it is possible .
Enjoy the ride .
Got the wrong name there. The user who was attacking krebsonsecurity.com was actually user id 126 (not registration id 126 which is Starfall, Starfalls uid is 186)
(126, ‘069059b7ef840f0c74a814ec9237b6ec’, ‘countonme’, ‘e8dc6863dfd3872801be5f3798fbb64eeff86c56fc21f5bde8abd01c24b2b132’, 1, 1374469200, 7200, 3, ‘72.196.218.2’, ‘http://i.imgur.com/flenQrv.jpg’, ‘false’, ‘126.11.70.151’, ‘countonme@gmail.com’, 1, ‘zjj8o8bb’, 1363305665, ”, 0),
^ That’d be the DB entry on the attacker.
One heck of a way to ruin ‘a small dinner party’!
Continue your great work. And (please) stay safe.
Why is your comment form prefilled with this name and address?
Because you clicked my link on IRC where I left the #comment-162269 part on it.
“No one pelts stones at trees that bear no fruit…”
Glad you’re OK.
Thanks for being our Tron… fighting for the users.
Hi Brian,
I am a long time reader, and I appreciate the value you provide to our community. I feel I should share one piece of advice with you. I don’t claim master of either, but am committed and dedicated to both the world of IT Security/Risk Management and Personal Defense with related counseling.
Please be careful in the speed and details of what you share. You may not see and understand all the risk you are exposed to right now. I know it is your profession and passion to highlight and share details in these matters, crowd source, and investigate… but when a threat to you and your family comes into play, the rules change.
This attack may not be over and you might consider sitting on it for a while. The details will never change, you can always share with us later.
Best.
Looks like a clear signal that you are doing something right. Keep it up, for every sleaze-bag that threatens you there are a hundred of us thankful and supportive of your efforts.
I knew there was a reason I keep my cell phone on my person at all times except when I’m showering or in bed, but I don’t think this is it:-)
As someone else posted, you must be having an impact to get SWATed. I’m glad things didn’t get more involved than they did.
Brian,
Honestly, if you play with fire you will eventually get burned.
You make a mockery of numerous bad guys that operate in the underground out of public view. You report on them. You ruin their business model. They often times get kicked out of private forums because you report on them. You are taking away their money by reporting on them and painting a target on their back for law enforcement to arrest them or private industry to sue them.
What do you expect to happen when you publicly out badguys and their underground dealings? Do you expect them to send you a thank you note and some ice cream?
If this is the worst thing that happens to you based on what you do, consider yourself lucky. There isn’t much difference between what you do and that idiot from HBGary that announced to the world that he identified the leadership of Anonymous.
Brian, when you don’t post for a day or two, I always wonder what story you are working on. Wow, I never expected you to be THE story. In addition to your camera, you probably need to enact some additional security measures.
Don’t let ’em stop you from shining the light on them!
Don’t let the bad guys intimidate you, Brian. You’re doing something important, and this just shows they’re either pissed or scared of you, or both. Heck, if you can eventually prove that it was folks over in Russia or one of the other “hotspots” for this stuff, maybe the FBI *will* actually be involved… 😉
Perhaps if the phone companies actually made CallerID work without any spoofing possible, that would be a start too?
Half assed implementation means trivial to spoof.
Clearly, accepting foreign CallerID records would need some notation that it isn’t correct, but for local 911/E911 connections, the police could easily be notified that the record was validated as true AND coming from the local DSLAM/CO of the property.
Интересно, откуда в Аннандейле столько полиции?
Hey user #309, if you’re going to DOS macs.Xboxlive.com and as.xboxlive.com and a bunch of home gaming IPs, don’t do it via a vanity domain name that is also your first and last name and linked to your twitter …
I’m sorry to see that you blandly accept the insane response by the cops.
A big part of the problem is that police departments have been militarized to the point that they respond to such reports by deploying such excessive force. Your description of a large gang of cops ready to shoot to kill without warning is a sad and terrifying testament to the current state of our society.
I’m not condoning what these “pranksters” did to you or to others, they deserve serious punishment (if they can be caught!) But consider that these “pranksters” have exploited a serious glitch in our system of law enforcement, a glitch that should never have developed in the first place.
As you pointed out, some recipient of the “prank” could be shot dead without warning by these trigger happy cops. It’ll happen eventually, and I wonder how many times that will happen before we start questioning the growing military mindset of the people who are supposed to be protecting us.
Dan,
Apparently you don’t know much about how law enforcement works. The “large gang of cops ready to shoot to kill without warning” is evidence of that. The people responding to such 911 calls place themselves at great personal risk to insure they don’t fire their weapons unless they absolutely have to.
These “trigger happy cops” have to walk into situations everyone else is running from in order to deal with the worst of the worst, and they have established protocols and a great deal of training for how to react. Firing your weapon is the last thing you want to do.
What would propose the response should be to such a call? A polite rap on the door to see if everything is ok? Pretty easy to lob criticism from the comfort of your computer while someone else is busy trying to keep chaos from growing without bound.
dh,
I know plenty of how law enforcement works, and how it often doesn’t work. To repeat myself, the “prankster” was exploiting a glitch in how police respond to calls for help. The problem here is that this police response was carried out as a military operation, which is to say that it was not carried out in a manner that was concerned with protecting the apparent victims.
Why did this man only find out that his house was surrounded by an armed force when he happened to open his door and and step outside? Why the silence? Was this supposed to be a siege or an ambush?
Upon opening the door this man was surprised by armed persons threatening his life. Suppose he had panicked, tried to find cover or tried to get back inside. The police would have opened fire and not only his body but his house and possibly his family inside would have been perforated with bullets and lord knows what else.
The problem is the mindset of this particular set of cops, they were deployed to take down The Enemy. Except that The Enemy, being undefined at that moment, was any hapless person who happened to blunder in front of their guns.
At that point, the police deployed around the house had no idea what they were doing because they had no information about what was going on and no confirmation of the alleged hostage situation. They were acting with maximum force without knowing if maximum force was appropriate to the situation. As a result, the person they were supposedly trying to protect almost lost his life.
This is how an army conducts a war, not how public defenders resolve a community conflict. Or is The Public considered The Enemy? That is not a rhetorical question, all too many police agencies in this country have descended into an “us vs. them” mindset, where the cops are separate from the community and everybody else is a threat to their sovereignty. Apparently, this one has that mindset.
It’s very easy “to lob criticism from the comfort of your computer” about how the police and their procedures are above criticism. But the real world isn’t so simple as you would like it to be. Take a hard look at what happened here. If the police can be so easily manipulated into putting innocent lives at risk then the main problem is not with the manipulator.
Again, the “prankster” needs to be seriously punished. But this police force needs to examine and change how it responds to calls like this, and I strongly suspect that to do so it needs to radically change how it regards the public that it is supposed to serve.
The Fairfax County police are to be commended for their professionalism. How would you have them respond to such a call?
The Fairfax County police have a history of killing a man in a traffic jam after he stole a bouquet of flowers. They also killed another man in his home for the incredibly dangerous crime of “gambling”.
Fairfax County PD is dangerous. Very dangerous. Krebs got lucky.
I’m sorry you were a victim of swatting and very glad to see you come through it in one piece. The frequency of these attacks are alarming, I do hope you will follow through and help push for action. Many victims are not in a position to fight back or work toward enacting a federal solution (whether it be youth, inexperience, less than perfect records, unable to risk subsequent attacks or limited resources ) so a person such as yourself can help turn the tide.
Take care and good luck.
mach
Google translated the comment in Russian from “Alex” as asking how many police are in Annandale.
Don’t worry Kathryn – I think Alex is harmless.
Думать и знать – разные вещи.
Да! Я не знаю.
http://www.thinkuknow.co.uk/8_10/cybercafe/
Well written Brian and keep up the good work.
Not sure if this has been written about before but perhaps a future article on caller ID spoofing may be of interest to many of us seeing how this was a critical component of your recent situation?
Who do you want to play you in the movie, Brian? I think Brad Pitt would be good.
Be safe.
How could you get hold of the SQL dump? How could you figure out the URL its lying at?
Your my HERO Brian!! 🙂 🙂 🙂 Sorry about the excess police reaction. I know what it is like just having the Feds staring down one’s chops, so I can identify. I hope this link isn’t upsetting to you:
http://arstechnica.com/security/2013/03/security-reporter-tells-ars-about-hacked-911-call-that-sent-swat-team-to-his-house/