15
Mar 13

The World Has No Room For Cowards

It’s not often that one has the opportunity to be the target of a cyber and kinetic attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home.

Well, as one gamer enthusiast who follows me on Twitter remarked, I guess I’ve now “unlocked that level.”

Things began to get interesting early Thursday afternoon, when a technician from Prolexic, a company which protects Web sites (including KrebsOnSecurity.com) from denial-of-service attacks, forwarded a strange letter they’d received earlier in the day that appeared to have been sent from the FBI. The letter, a copy of which is reprinted in its entirety here, falsely stated that my site was hosting illegal content, profiting from cybercriminal activity, and that it should be shut down. Prolexic considered it a hoax, but forwarded it anyway. I similarly had no doubt it was a fake, and a short phone call to the FBI confirmed that fact.

Around the same time, my site came under a series of denial-of-service attacks, briefly knocking it offline. While Prolexic technicians worked to filter the attack traffic, I got busy tidying up the house (since we were expecting company for dinner). I heard the phone ring up in the office while I was downstairs vacuuming the living room and made a mental note to check my voicemail later. Vacuuming the rug near the front door, I noticed that some clear plastic tape I’d used to secure an extension cord for some outdoor lights was still straddling the threshold of the front door.

Fairfax County Police outside my home on 3/14/13

Fairfax County Police outside my home on 3/14/13

When I opened the door to peel the rest of the tape off, I heard someone yell, “Don’t move! Put your hands in the air.” Glancing up from my squat, I saw a Fairfax County Police officer leaning over the trunk of a squad car, both arms extended and pointing a handgun at me. As I very slowly turned my head to the left, I observed about a half-dozen other squad cars, lights flashing, and more officers pointing firearms in my direction, including a shotgun and a semi-automatic rifle. I was instructed to face the house, back down my front steps and walk backwards into the adjoining parking area, after which point I was handcuffed and walked up to the top of the street.

I informed the responding officers that this was a hoax, and that I’d even warned them in advance of this possibility. In August 2012, I filed a report with Fairfax County Police after receiving non-specific threats. The threats came directly after I wrote about a service called absoboot.com, which is a service that can be hired to knock Web sites offline.

One of the reasons that I opted to file the report was because I knew some of the young hackers who frequented the forum on which this service was advertised had discussed SWATting someone as a way of exacting revenge or merely having fun at the target’s expense. To my surprise, the officer who took my report said he had never heard of the phenomenon, but promised to read up on it.

One of the officers asked if it was okay to enter my house, and I said sure. Then an officer who was dressed more like a supervisor approached me and asked if I was the guy who had filed a police report about this eventuality about six months earlier. When I responded in the affirmative, he spoke into his handheld radio, and the police began stowing their rifles and the cuffs were removed from my wrists. He explained that they’d tried to call me on the phone number that had called them (my mobile), but that there was no answer. He apologized for the inconvenience, and said they were only doing their jobs. I told him no hard feelings. He told me that the problem of SWATting started on the West Coast and has been slowly making its way east.

The cop that took the report from me after the incident said someone had called 911 using a Caller ID number that matched my mobile phone number; the caller claimed to be me, reporting that Russians had broken into the home and shot my wife. Obviously, this was not the case, and nobody was harmed during the SWATing.

Update, Apr. 29, 2013: As I noted halfway through this follow-up post, the police officer was misinformed: The 911 call was actually made via instant message chats using a relay service designed for hearing impaired and deaf callers, *not* via a spoofed mobile phone call.

Original story:

It’s difficult to believe the phony FBI letter that Prolexic received, the denial-of-service attack, and the SWATting were somehow the work of different individuals upset over something I’ve written. The letter to Prolexic made no fewer than five references to a story I published earlier this week about sssdob.ru, a site advertised in the cybercrime underground that sells access to Social Security numbers and credit reports. That story was prompted by news media attention to exposed.su, a site that has been posting what appear to be Social Security numbers, previous addresses and other information on highly public figures, including First Lady Michelle Obama and the director of the FBI.

Interestingly, there are strong indications that a site named booter.tw may have been involved in the denial-of-service attack on my site yesterday. For some bone-headed reason, the entire customer database file for booter.tw appears to be available for download if you happen to the know the link to the archive. A search through that record shows that on Thursday afternoon Eastern Time, someone paid booter.tw to launch a series of denial-of-service attacks against my Web site. The account that paid for the attack used the nickname “Starfall,” using the email address “starfall@gmail.com.”

Update, Mar. 16, 8:09 a.m. ET: It seems that I and several other folks who looked at the SQL file from booter.tw made the same mistake in misreading the table: The account that ordered the DDoS against KrebsOnSecurity.com was not Starfall but instead one that used the nickname “countonme,” and the email address “countonme@gmail.com.”

A screen grab of booter.tw

A screen grab of booter.tw

Thursday morning, Dan Goodin, a good friend and colleague at Ars Technica, published a story about my ordeal after a late night phone interview. Shortly thereafter, Ars Technica found itself on the receiving end of a nearly identical attack that was launched against my site on Thursday. Turns out, the records at booter.tw show clearly that a customer named “countonme” using that same Gmail address also paid for an attack on Arstechnica.com, beginning at approximately 11:54 a.m. ET. A snippet of the logs from booter.tw showing the attack on Ars Technica.com (a.k.a. ‘http://50.31.151.33‘ in the logs) is here.

According to Eric Bangeman, Ars Technica’s managing editor, their site was indeed attacked starting earlier this morning with a denial-of-service flood that briefly knocked the site offline.

“We’ve been up and down all morning, and the [content management system] was basically inaccessible for 2 hours,” Bangeman said, adding that he wasn’t aware of an attack of similar size that knocked the site offline. “If it did, it wasn’t enough to be registering in my memory, and I’ve been around for 10 years.”

I have seen many young hackers discussing SWATing attacks as equivalent to calling in a bomb threat to get out of taking exams in high school or college. Unfortunately, calling in a bomb threat is nowhere near as dangerous as sending a SWAT team or some equivalent force to raid someone’s residence. This type of individual prank puts peoples’ lives at risk, wastes huge amounts of taxpayer dollars, and draws otherwise scarce resources away from real emergencies. What’s more, there are a lot of folks who will confront armed force with armed force, all with the intention of self-defense.

The local police departments of the United States are ill-equipped to do much to stop these sorts of attacks. I would like to see federal recognition of a task force or some kind of concerted response to these potentially deadly pranks. Hopefully, authorities can drive the message home that perpetrating these hoaxes on another will bring severe penalties. Who knows: Perhaps some of the data uncovered in this blog post and in future posts here will result in the legal SWATing of those responsible.

This is a fast-moving and ongoing story. I will most likely update this post or file a follow-up sometime in the next 24-48 hours as more details and events unfold. Thanks to all those readers who’ve expressed concern for my safety and well-being via emails, Twitter and the blog: Your support and encouragement means a great deal. And a special note of thanks to security expert Lance James for his assistance in poring over the booter.tw logs.

Tags: , , , , , ,

199 comments

  1. Can I suggest today be ‘buy krebs a cup of coffee’ day (or a beer) via his paypal link.

    He’s pretty literally risking his life to bring us important security reporting.

  2. Sorry to hear of the attack.Thank you so much for the invaluable information.

  3. This was a bit more advanced than MIT’s recent (and deserved) SWATing for the Aaron Swartz thing. In that instance they used the Sprint Relay Online, the more common method, in this instance they used call spoofing and your home number, that they probably got from public records. I first heard of SWATing in 2006, when an admin of an unpopular imageboard was SWATed by a pissed off little kid. The tactic was already well established back then. The one arrested for SWATing CA celebrities is also described in a LAPD press release as a ‘minor’. Now it has been going on for roughly a decade, and yet E911 OPs are still to dumb to know a spoofed call when they see it. The incompetence of LEOs continues to astound me.

    • Do tell Drafty! How do you determine a fake caller ID from a real one! :O

      I had one of these guys doing this to me by calling kids alone at home and threatening them – I got a call from one of the distressed kids who receive one, and I called the cops about it; but the fact is, any shmuck can take a trash cell phone and download an app that replaces the telephone number and caller ID for out bound calls.

      That poor kid was shook up, but I sent a women officer to her house to calm her down! It was really embarrassing to me, but later I found out this cracker was calling all of my circle of friends and harassing them. We found out he plugged a walk-a-bout base station into one of my friend’s home phone box, and collected all the phones in the completed call list, and was using them for his sick past time! X-(

      • Place the suspect call on hold and immediately dial the number. If there’s no answer, as in Brian’s case, one could reasonably assume the call is spoofed.

        • Uh – the number is fake – remember? Do you mean dial *67 or something like that?

          The child hit the call button with my number on the screen, it did indeed call me – but I can prove on my caller records from that phone number – which is an ordinary POTS landline, that I never called her.

        • Seriously? And how is LEA supposed to know, for example, that a violent offender hasn’t just walked into the room and found the person making the emergency call and this is the reason the phone isn’t answered.

          I’m going to assume you’re not dumb as paint but it seems to me that you determination to make reality match your perception that LE is “incompetent” is making you behave like you are.

          • Which post are you answering Neej? Are you confused as well? Sorry, but I don’t see the connection to my particular situation; although I AM pointing to the fact that faking a caller ID is easy.

    • I should clarify that the officer who told me about the prank call did not appear to have the deepest grasp of the events, and has not returned my calls since. I just mention that because I’m wondering if there was in fact a 911 call, or if someone just called a police station spoofing my number. I’m still waiting on the full report. As I stated in this post, there will be more info coming in the next few days.

  4. You have to love those guys who launch attacks countries away, through the Internet masked so that they can’t be found, caught and slapped upside the head.

    Cowards.

  5. Considering all the waste of time and resources SWATing causes, it might serve a purpose to have 911 call the person reporting the “crime” to verify that the number was not spoofed. I am not clear whether the missed phone call in the article would have covered the problem but it is something to consider implementing in protocol. Just a thought.

    • If someone had a gun to my head when they called back and said “don’t answer it” is why they just go and don’t bother call backs (in my area anyway).

      • Good point “me”; I resist the urge to call you Captain obvious, because I like your post too much! HA!

  6. Keep shining your light into dark corners Brian.

  7. After importing booter.sql into a mysql database and running some queries, it appears that you may have mis-attributed the attacks to starfall@gmail.com (user id 168), when instead I believe they were actually ordered by countonme@gmail.com (user id 126). In fact, it looks like this user ordered a total of 21 attacks on your site yesterday, each with a duration of 7200 seconds. Assuming the times in the database are accurate, the first attack was ordered at Thu Mar 14 17:02:45 UTC 2013, and the final attack ordered at Thu Mar 14 22:36:09 UTC 2013.

    Thanks for continually exposing all of these miscreants! Keep up the excellent work!

  8. http://newsgroups.derkeiler.com/Archive/Alt/alt.true-crime/2008-05/msg01857.html

    The original story seems down from http://www.citynews.ca/ but basically in 2008 the 420chan admin had this same prank done to him.

    ( “I got out of bed, I open up my bedroom door, walked over to the front
    door and had an automatic combat shotgun in my face,” Cottle recalls.
    “When you’re getting woken up at 4:30 in the morning by a whole bunch
    of cops with automatic weapons and then finding out that they’ve
    blocked off the entire street outside – pretty unsettling.”

    Why would he do that? “Because he thinks it’s funny,” he shrugs. )

  9. Ironically this site popped up a warning about an invalid security certificate.

    You seem to have a tracker at s.krebsonsecurity.com but the cert is only for the base domain and www.

    “Piwik Tracker”?

    var pkBaseURL = ((“https:” == document.location.protocol) ? “https://s.krebsonsecurity.com/” : “http://s.krebsonsecurity.com/”);

    Also, the submit for this comment (form action) is via plain http, so ANOTHER warning is popped up when reading the site at its https address and then posting a comment.

    Two SSL-related security glitches on a security expert’s site? Or has your site been cracked?

  10. Holly Carp… (as in the fish :P)

    This sounds like a movie scenario.

    Glad You’re ok Brian.

    Regards.

    Andrzej

  11. I must send you money. <3

  12. Glad you are ok. This originated with the political swatting first, then moved to the hacker realm? There were about a half dozen conservative political reporters/bloggers in and around LA swatted, then a larger number of celebrities, and now apparently it has broadened.

    Make it a felony. With significant jail time and a fine it might provide some deterrent. Since a large number of swatters are believed to be under-18, maybe ban them from using cell phones. If a hacker can be forced off the internet, a swatter can be forced off of cell phones.

  13. You must be doing something right.

  14. Just lost 16 domains/sites to hackers [last 24 hours], after a false security token error message with reroute to a fake google search page showed up when accessing my security systems.
    Seems like we are all in for some “fun”.
    Sorry to hear of such extreme outcomes Brian…

    best wishes.

  15. That sucks, I hope you continue to fight these cybercriminal
    despite the swatting. Cheers!

  16. This is childish if they have a problem with you they should rather confront you in person than waste taxpayers money what if the law enforcement offices had other serious matters to attend. Stop being coward if you’ve a problem you pick up the phone and sort out your differences.

    Kids will always be kids happens a lot on IRC DDoS is a common thing and won’t stop.

  17. Brian, i want to see you in Russia! I love you.

  18. I’d just like to say that this wasn’t me, and I didn’t do the Ars or Barack Obama attacks either.
    If you examine those logs, I actually attempt to hack the booter on several occasions.

    Any questions, you can email me at starfall [AT] riseup [DOT] net

  19. Just adding on, as others have mentioned, real perp is countonme, whose IP oddly enough is an ADSL IP in Russia

  20. There’s a lot of information on booter.tw here: http://booterdown.blogspot.com/2013/01/bootertw-goes-by-twbooter_2.html

  21. One more thing, and sorry for shitting up your blog.
    I may be a cybercriminal as you call us, but I am not a faggot. I don’t attack people like you, Krebs. I appreciate what you do in exposing script kiddies, and I hope to see more of it. I’d like to get into contact with you about this article. Thanks.

    • Rabid Howler Monkey

      Starfall wrote:
      “I appreciate what you do in exposing script kiddies, and I hope to see more of it.

      Does this mean that ‘script kiddies’ give cyber-crime a bad name? Or just those among them that resort to SWATting?

      P.S. Brian, am glad that neither you nor your wife (apparently, out at the time) was not harmed.

      • Indeed they do give it a bad name. What I do, I do for entertainment. People who do it for money make us all look like the scum of the earth when really, some of us are just average people having a bit of fun with what we know.

      • I hate having to follow up on my own comments; I always forget something. SWAT is childish and so is DDoS. Honestly, most of the people doing SWATting attacks are in their early teenage years and don’t really understand the process. They’re just following a tutorial on how to “ruin someone’s life”. It’s pretty simple, actually, from what I’ve seen, and usually involves AT&T’s relay service for the hearing-impaired.

  22. Normally, 911 Operators will do a return call to the 911 Caller just to confirm he is the caller and correct number. These number spoofers have been around a long time. I have been in telecommunications a very long time, since 1957 and when I make 911 calls here in Brevard County Florida, they do call you back.

    • Yea, they call back but they are en route regardless. The call back is to confirm the severity/priority of the call I guess…I hear them do it on scanner all the time and when people politely say it was a pocket dial they are greeted with their standard “Sorry, it’s policy for us to drop by in person, see you in 10”.

  23. @JCitizen, how do you sent a police officer to your victim home? Are you a police too!! Anyway, hard to believe your story, does not match. In March 18th 2011, I reported to Fairfax Police of my pre-paid T-mobile phone being hacked, my contactes been carried over by a AT&T phoen user, and then hacked in to my contact AT&T phone, forwarded his phone/voice mails to my phone. I recieved phone messages people left for him, adn questioning themself that, if it was his number?? Nothing happend. I contacted FBI, Baltimore filed office( I live in Fairfax, when I dailed FBI DC, I was told they do not take walk in, it was not FBI), report phone hacking, threat to F**** my life by this ID-Theft, Tax SCheeme Ring Queen, threaten to hurt my family here, and back home. Played voice mail to the agent and told him, it is nt my phone. Also showed him hacker using a t-mobile phone listed under one name, and from pre-paid same number kept under a different name.
    I told the police officer that I got called from S.Dakota, and when I answered the call no one speaks. When I returned the call, I was told that ; some one has stolen “MARK OIL COMPANY” OF SOUTH DAKOTA PHONE LINE, THE COMPANY TELEPHONE COMPANY CHASE THEM UPTO FT.LAUDRALE, FLORIDA, AND COULD NOT CATCH THEM.” IT WAS THEM MARCH 18TH 2011. BY THE END OF 2012, FACING 7 CRIMINAL CAHRGED BY THIS RING AND SAME CAHRGED” PHONE HARRASSMENT…, ALL MESSAGES THEY PLAYED LEFT FOR MY ….. MAN, I MARRIED AND LIVE DWITH FOR FIVE YEARS. SO, HIS VOICE MAIL GRACEFULLY TRANSFERED TO THEIR MINOR CHILED, SOMETIMES THEM SELVES.

    I CONTACTED AMEX C-DEPT, AFTER I WAS TOLD THAT MY CARD IS A BSUINESS CARD, I OPENED IN SEP,2010 AND A 33 YEAR OLD PAKISTANI MAN NAME ” GOLAM RAHMAN” IS THE SIGNER, AND MY NAME IS ” SABRINA ROHMAN, IT IS A SABRINA ROHMAN FINANCIAL CC !!! I NEVER WONED ANY BUSNIESS???

    CITY SECURITY ONLY TOLD ME, YOUR NAME MATCH, SSN# MATCH, BUT NONE OF YOUR ADDRESS MATCH… AND THEN IMMIDIATELY CALL GETS CUT OFF. VERIZON SECURITY WERE EMAILED BY THE STORE MANAGER TO CONTACT ME,
    I GOT CALLS FROM A INDIAN WOMAN” SHE IS VERYFIYING IDTENTITY OF WHO IS WHO?”
    PAID VERIZON IN 07/12 PHONE BILLS, MY LINE WRE CUT OFF, NON PAYMENTS AND MY CARD WAS CAHARGED BY THE ONLINE BUSINESS ” YAHOO SMALL BUSINESS INC”, WONED BY THE RING KING AND QUEEN OF THIS FINANCIAL AND TAX SCHEEME. MY DISCOVER CARD HAS BEEN CHARGED BY THIS BUSINESS WONER, SINCE MARCH 2012$19.00 PER MONTHS FOR ID PROTECTION. BUSINESS CALLED ” USA IDENTITY PROTECTIONS”. IT IS ALSO WONED BY THIS RING.

    SHE WOKRKS AT TECK SYSTEM AS A ACCOUNT SPECIALIST, (HER SON WONS A REAL ESTATE INVEST BUSINESS IN MANASSAS,VA, DAUGHTER GOES TO TROU-CHURCH PRIVATE LAW SCHOOL AND SHE HAS FILED BANKRUPTSY EVERY 4 EYARS.) A SISTER COMPANY OF AROTECH, IN ALEXANDRIA LOCATION AT NIGHT. AND MANAGED HER WON TELEPHONE HACKING BUSINESS NAME ” USA CAR MOBILE/ USA MOBILITY, USA CAR PHONE, NEXT DOOR TO TECH SYSTEM, A FORMER AT&T BILLING OFFICE AT 6420 GROVEDALE DRIVE#200, ALEXANDRIA, VA 22310. HOOVERS.COM WHON THAT , IT IS A FEMALE WONED CALIFORNIA LOCAL BUSNIESS, # 310-658-8369, AND 323-206-2742, REVENUE EARNED IN 2010 $84000.00 AND 2011 OVER 1 MILLION DOLLAR. BUSNIESS DOES NOT EXIT. IT IS A
    TELECOMMUNICATION DEVICES SUPPLIENG CONTRACTOR FOR DOD. ?

    SHE CHANGED HER NAME TO “LORI LARSOB” AS CITY SECURITY, AND HAS LINKEDIN PROFILE AS A COLLECTION CALRK OF SPRINT. WHICH SHE HAS WORED IN 2007, AT TEHIR WOODBRODGE LOCATION. AND GUESS, WHICH CARRIER GOV’T/ FED AGENCY USES THEIR TELEPHONE FROM.. BOOST MOBILE( SHE WONED A STORE IN FALLS CHURCH, VA IN PARTNERSHIP), AND SPRINT !!

    I READ PHONE HACKING NEWS AND STOLEN NUMBER FROM
    DOD AND SECRET SERVICE WEBSITE, CONTACTED THEM AND TOLD THEM HOW, MY SLEF AND MY EX-HUSBAND FAMILY( ALL US NAVY RTD), AND SISTER FAMILY( US ARMY) BEEN VICTIMIZED BY THIS BANGLADESHI/PAKISTANI REAL ESTATE MORTGAGE SCHEEME.

    THEY STARTED TO RERALIATED ME SINCE 2009, AFTER ONE OF THE RING MEMEBR SON BEEN CONVICTED OF STOLEN MONEY FROM MY NEPHEW’S MILITARY SALARY ACCOUNT OF WACHOVIA.

    AFTER SHHOWN MY ATTORNY MRS. WILLIAM HOW THEY USED ONLINE CALLING SERVICE/DATA TO MAKE PHONE CALLS TO MY PHONE TO THEREATEN ME, IT SHOWN “NO NUMBER” WHEN THE CALLS CAME IT APPEAR ” TRITECH”, IF I ANSWER, WOULD THE RING LEADER OR NO ONE IS ON OTHER LINE, IF I DO NOT ANSWER, THE CALLER ID DISAPPEAR FROM THE SCREEN , AND APPEAR AS ” NO NUMBER” OR INTERNATIONAL CALLS..”

    WILL WRITE LATER.. WAITING TO HEAR FROM YOU ALL

    • @Kazi;

      You are a very confused individual; this poor little girl was a victim of a cracker NOT me! SEE!? All I had to do is present the evidence to the female officer and relate my concern about a child home alone, and that is all it took. I knew she had to be home alone, or she would have complained to her parents before calling me, and her parents would have easily dealt with the situation. All it takes is a little brain power to see where the problem is, evaluate the situation, and take action. I was afraid the child may be under surveillance, and I’m glad I did what I did so quickly, because this creep was not afraid to visit the location of his victims. If I had not notified the police, he might have taken advantage of the situation and attacked this minor child! This would have made it difficult for me to explain why I was involved somehow in this unfortunate situation – quick action is what solved the problem. I have contacts in Homeland Security, the BATF, and went to college with many of the Chief Law Enforcement Officers in my area, so they know I’m not a weirdo – or at least NOT that kind of weirdo! HA!

      The main thing is we did what we had to do to protect everyone involved, and this creep has at least been smart enough not to pull this cr@p on me and mine since then. When you live in a small community, people take care of each other – I think it is sad how folks are victimized in the large population centers, and no one gives a sh*t! It has become a disgusting situation – especially with the gangs in Chicago and Washington D.C.!!

  24. Clearly you are doing too good a job. I think I’ll stick to fiction, as your bearding of the lion in his own den has had the same general effect as a full moon on a werewolf. Too bad our cybercrime laws make the consequences of payback so onerous.

  25. I have a suggestion. How about, instead of more government (a Federal task force or whatever waste of time and money envisioned by the author), less government.

    In this case: get rid of SWAT teams. Their existence is an affront to posse comitatus, and their tactics an affront to the fourth amendment.

    If you wanna make it Federal, how about we stop all the Federal subsidy of equipment and training? Hmm?

  26. I would like to recommend active monitoring of the following Internet Relay Chat servers
    irc.teamavolution.com
    Ryan C, Storm, ajpot and associates
    irc.voidptr.cz
    Orgy, Batmayne, BV1 and associates

    • Do you have nothing better to do with your time other than spreading butthurt because someone in IRC upset you?

  27. Just an fyi, the 12 year old swatter that hit the celebrities was some lamer named Satanist, aka Aaron James Maxcy.

  28. To correct JC, it’s irc.teamavolition.com with an i.
    You can PM me there as well. I’d be happy to discuss this, as I said before I’m not involved.

  29. Richard (another one)

    Well, Brian, is it time to start that second career writing computer books for children? I sure miss your WaPo chats but enjoy your web site. Glad everything ended safely. The WaPo article online tonight lists celebrities who allegedly have had the same experience.

    http://www.washingtonpost.com/local/fairfax-journalist-victimized-by-swating-gets-surprise-visit-from-police/2013/03/15/57f2ec5c-8db4-11e2-9f54-f3fdd70acad2_story.html

  30. I’m glad that you and yours are safe and unharmed, thank you for fighting the good fight even when the pressure’s on.