April 17, 2013

Many readers have been asking for an update on the “SWATting” incident at my home last month, in which someone claiming to be me fraudulently reported a home invasion in progress at my address, prompting a heavily armed police response. There are two incremental developments on this story. The first is I’ve learned more about how the hoax was perpetrated. The second is that new clues suggest that the same individual(s) responsible also have been SWATting Hollywood celebrities and posting their personal information on site called exposed.re.

The day before my SWATting, I wrote a story about a site called exposed.su, which was posting the Social Security numbers, previous addresses, phone numbers and other sensitive information on a slew of high-profile individuals, from the director of the FBI to Kim Kardashian, Bill Gates and First Lady Michelle Obama. I wrote about the site by way of explaining that — as painful as it may be to admit — this information should no longer be considered private, because it is available quite cheaply via a number of shady services advertised in underground cybercrime forums.

After migrating the data from Exposed.su to Exposed.re, the curator added [Swatted] notations.

[Swatted] notations were added to celebrity names after Exposed.su became Exposed.re

To illustrate this reality, I pointed to one underground site in particular — the now-defunct ssndob.ru (it is now at another domain) — that could be used to pull all of this information on just about anyone, including all of those whose information was listed at the time on exposed.su. In a follow-up investigation I posted on Mar. 18, 2013, I cited sources who claimed that the DDoS against my site and the simultaneous SWATting attack on my home was in retaliation for my writing about ssndob.ru, which allegedly some of those involved in the attacks prized and did not wish to see shuttered.

Specifically, two different sources placed blame for the attacks on a young hacker named “Phobia,” who they said was part of a group of Xbox gaming enthusiasts who used ssndob.ru to look up Social Security numbers belonging to high-value Xbox account holders — particularly those belonging to Microsoft Xbox Live employees. Armed with that information, and some social engineering skills, the hackers could apparently trick Microsoft’s tech support folks into transferring control over the accounts to the hackers. “I heard he got pissed that you released the site he uses,” one of the sources told me, explaining why he thought Phobia was involved.

Incidentally, two days after my story ran, several news outlets reported that Microsoft had confirmed it is investigating the hacking of Xbox Live accounts belonging to some “high-profile” Microsoft employees, and that it is actively working with law enforcement on the matter.

A little digging suggested that Phobia was a 20-year-old Ryan Stevenson from in Milford, Ct. In that Mar. 18 story, I interviewed Phobia, who confessed to being the hacker who broke into and deleted the Apple iCloud account of wired.com reporter Mat Honan. In subsequent postings on Twitter, Honan expressed surprise that no one else had drawn the connections between Phobia and Stevenson earlier, based on the amount of open source information linking the two identities. In his own reporting on the attack that wiped his iCloud data, Honan had agreed not to name Phobia in return for an explanation of how the hack was carried out.

Geographic distribution of servers observed in Mar. 14, 2013 attack on KrebsOnSecurity. Source: Prolexic

Geographic distribution of servers observed in Mar. 14, 2013 attack on KrebsOnSecurity. Source: Prolexic

The week after my story ran, I heard from someone who lives in Stevenson’s neighborhood and who watched federal agents and police descend on Stevenson’s home on Mar. 20. I was later able to corroborate that information with a police officer in Connecticut, who confirmed that authorities had seized several boxes of items from the Stevenson residence that day.

If Stevenson was as involved as his erstwhile gaming buddies claim, I can’t say that I’m sad to learn that he got his own police raid. However, I do not believe he was the one responsible for sending the emergency response team to my home. I believe that the person or persons responsible is/are still at large, and that Stevenson was merely thrown under the bus as a convenient diversion. But more on that at another time.

At the end of March, exposed.su was shut down, and the content there was migrated over to a new domain — exposed.re. The curator(s) of this site has been adding more celebrities and public figures, but there is another, far more curious, notation on some of the listings at the new version of the site: Several of those named have the designation [Swatted] next to them, including P. Diddy, Justin Timberlake and Ryan Seacrest (see the collage above). It’s worth noting that not all of those listed on exposed.re who were SWATted recently are designated as such on the site.

Could it be that the person who is looking up and posting all of the Social Security and personal information on public figures and celebrities also is involving in SWATting some of these individuals? Given the timeline of these postings and other factors, it seems likely that this is the case, and that this individual has taken to “marking” or “claiming” SWAT attacks against those he’s listed on exposed.re. Only time will tell, I suppose.

I also wanted to set the record straight about how the SWAT event against me was called in. In my initial story, I reported hearing from a policeman who stayed behind to take an official report about the incident that the emergency call had been spoofed to look like it came from my mobile phone. It turns out that this was not how it went down. The FBI and Fairfax County Police officials have declined to release my case file, saying it is connected to an ongoing investigation. But I was able to confirm that the 911 call was actually made via a relay service designed to help deaf and hearing-impaired individuals communicate over the phone.

Anyone can use these telecommunications relay services, also known as “TeleTYpewriter” (TTY) or “ip-relay.” A typical call involves the caller using some kind of instant message client — such as AOL’s AIM Instant Messenger  — to send messages to a relay operator, who in turn reads the messages to the called party. It’s not clear how the SWATter in my case corresponded with the TTY service, but it’s clear that the abuse of TTY services for SWATting and for other forms of fraud has been and remains a persistent problem.

Perhaps the most frustrating aspect of the abuse of TTY services for fraud stems from the rules under which these relay services must operate, rules that practically guarantee the services will be abused by fraudsters. Under rules set by the Federal Communications Commission (FCC), relay operators are forbidden from keeping records of calls — either the text of what was relayed or even the identity or location of the parties on the calls.

According to this Wikipedia article, relay operators also are legally required to relay all communication between parties without making any judgments, cannot refuse to relay what the caller types, and are prohibited from interjecting their opinions about the veracity of the claims or comments made by the caller.

In 2006, the FCC initiated a proceeding to gather public feedback about how to address the abuse of ip-relay services, and in 2009 it began requiring all users of ip-relay services to register their screen names with a default ip-relay provider. It’s unclear how or whether these measures have lessened the amount of abuse that takes places over relay services. It’s also unclear how many of these recent SWATting incidents involved relay services.

Few of the stories about recent celebrity SWATtings have indicated the source of the emergency alert, although TTY services were cited in one high-profile SWAT against actor Ashton Kutcher in Oct. 2012. Interestingly, the abuse of TTY services also was cited in several SWATting cases involving disputes over Xbox Live players in Washington and Florida in 2011 and 2012. As the Seattle Post Intelligencer reported in 2011, disgruntled hackers have been directing SWAT attacks against Microsoft employees who enforce Xbox Live gaming rules. Those attacks also involved the abuse of TTY services.

I sincerely hope law enforcement authorities apprehend those responsible for these reprehensible attacks. They are of course extremely dangerous, but they also cost taxpayers plenty: The FBI estimates that each SWATting incident costs emergency responders approximately $10,000. Taxpayers also pay for the abuse of TTY services, which are reimbursed by the federal government. In 2012, the FCC stated that the average cost of an interstate or intrastate ip-relay call was about $1.29 per minute.

31 thoughts on “SWATting Incidents Tied to ID Theft Sites?

  1. Haggis

    Good write up, thanks for the info, lets hope the little scumbag gets whats coming to him

    1. JimV

      Let’s certainly hope he learns a really good lesson out of the experience, and decides to reduce his sentence by assisting the authorities in taking down the entire chain of miscreants involved in all the other roles.

  2. Barbara B

    So sorry to hear you’re being picked on, Brian, when all you do is good and for the good of others.

  3. Old School

    “Perhaps the most frustrating aspect of the abuse of TTY services for fraud stems from the rules under which these relay services must operate, rules that practically guarantee the services will be abused by fraudsters.” Those who wish to have the FCC rules modernized so that these dangers can be eliminated should send their opinions and ideas to their representative in the United States House of Representatives ( http://www.house.gov/representatives/find/ )

  4. Lawrence

    As always, a very informative article. Sorry to hear you have been going through all this crap.

    The amazing thing is that these ssndob sites are easily found by just searching in google. After reading this article, I did a quick search in Google and a few sites popped up on the first page. I would have thought they would try to keep themselves out of the index or that Google would delist criminal sites like these.

    I registered with a fake account at one of these and did a fake search. Nothing came up, but not sure I was at the “legit” one that you reference in this article and I didn’t try to hard.

    Good luck with everything you are going through.

  5. New sherlock holmes

    How come — Many readers have been asking for an update on the “SWATting” incident , but you only have 6 comments since april 14 ? Have you been drinking some of that fire water lately Brian . It Looks like no one cares at all . Just you .We all knew from the start that it was some kid ( who else would do something like that ) we use to do it at school just to get a day off ..

    Brian you need to change your name to Sherlock Holmes .))

    1. Neej

      “I sincerely hope law enforcement authorities apprehend those responsible for these reprehensible attacks.”

      Amen to that.

    2. Neej

      “It Looks like no one cares at all”

      And yet here you are …

    3. Timothy J. McGowan

      I suspect Brian may have an e-mail address or phone number or two.

    4. meh

      Most people don’t leave a comment on everything they read, I often look at hundreds of news articles a day but only the most blatently wrong or biased are worth the time of posting a reply to.

      This seems to be a common sort of occurance these days with any service that can be abused getting taken advantage of. It is ironic that most of the folks doing this kind of thing are probably sitting at home, in a house their parents worked very hard to pay for and will face higher taxes because of the waste and abuse of their kids. Few people who pay any substantial taxes are going to go out of their way to waste money and increase their own tax bills in the process.

  6. voksalna

    Brian, I too was under the impression that Stevenson was being hounded or set-up by his “old friends” who’d turned on him after all I’d read — likely after his public outings with Honan. This seems to be happening more and more nowadays (maybe they get jealous of each others’ “attention getting”?), the only variable seeming to be — some were and some were not involved in this sort of activity before they get ‘set up’. Him getting ‘raided’ or whatever it is called was a matter of time. In a way maybe it’s another form of inciding ‘swatting’, this doxing of each other?

    1. voksalna

      Re-reading this I realise I come across differently than I meant to. SWATting is never good or appropriate, nor was I saying he was blameless. I was meaning to bring up the fact that everyone seems to be escalating based on politics and trying to outdo one another. SWATting is stupid and dangerous.

  7. anonymous

    there’s also a hidden service with celeb and other people’s info, i forget the .onion name but it has dox in the name.

  8. pablo

    it sound like you don’t approve attacks from criminals
    but is ok from corporations injecting java scrips, decrypting private massages and who knows what else (comcast, nokia and a host of others) comes to mind

    i like the great work that you do but sometimes is a little lopsided

    illegal work is illegal and you should report it

    the are no almost virgens

  9. bh

    “the are no almost virgens” – pablo, at least on Xbox live, I can promise you: they are *all* virgins …

  10. Inside Job

    What about Boston booming , was it CIA again ??
    i THINK SO .Investigate that Brain that will keep you busy .its a bit more complicated then trying to lock up some kid for calling cops on your , but you will love it .I think.

    i give you a hint .
    BPD had some bomb drills that day in that area , again sounds just like 9.11.01 to me .

    P.s Then suppress rights of Americans even more . enjoy .

  11. Gem

    exposed.re gets service from Cloudflare. They ought to get the McColo treatment for knowingly providing service to miscreants.

    1. Gem

      Over 48 hours later, Cloudflare is still providing service to exposed.re. Definitely bulletproof.

  12. meh

    Relay service huh, I worked for one of those for a couple months – they encourage abuse since they get paid by the call whether they are legitimate or not. The vast majority of calls they create are prank calls or used for illicit/illegal purposes. Because of the FCC employees are not allowed to ditch the call unless approved by someone else that usually takes anywhere from 5-20 minutes to get around to looking at it.

    Ranks up there as one of the worst jobs I ever tried, and I can’t say I am very surprised to hear about this kind of abuse with how their policies were. Similar to how lax bank rules encourage cyber thefts, lax verification and paid to look the other way business models encourage abuse as well.

  13. voksalna

    Everybody seems to be very much for limiting TTY services, but it’s not only the deaf that use them. Uninvolved text-only intermediaries can be invaluable aids for people who are dealing with abusive spouses, who have mind-crushing panic attacks, social phobia, or who desperately need to make an emergency contact without making any sound. Another instance might be if you are sick and temporarily cannot speak or hear and need help badly. In other words, just because people are not deaf does not mean that it is not being used for something legitimate, or even life-saving.

    Once again, this is a case of abusive assholes ruining a valuable public service for everybody else.

    Like many people in the world now, I have friends all over. I have heard good and bad.

  14. voksalna

    I mention this because having to ‘register’ for a TTY service has no doubt already caused much hardship for anyone wanting to make a *legitimate* use of such, while people who are abusive often don’t have to worry about any of that because they can do whatever they want.

  15. voksalna

    Also: You are moderating now? Did something happen?

  16. LC

    One other problem that comes with people using the relay service for scams, SWATing, etc., people come to assume that any call through the relay is a scam. As a result, I’ve been hung up on by a pizza place when I wanted to order, my wife wasn’t able to schedule an appointment for an oil change, etc. If the relay system can find a way to stop the abuse, it’ll help those who really do need it!

    1. Gem

      Just curious, why do you “need” as you put it, a relay system to order a pizza? Is pizza banned in your country?

      1. BrianKrebs Post author

        Gem, are being deliberately obtuse? Why do you think this reader and his wife might need a relay service?

      2. LC

        Because we are deaf people who use the relay for its INTENDED use. And we are US citizens who live in the US. You show the exact problem that we, and many other deaf people have. Because people from inside and outside the US abuse the system in a completely unintended way, you, and many others, just assume that we are abusers of the system as well.

  17. Shawn Moylan

    I’ve enjoyed your blog for many years and recently started my my own. I’ve seen, second hand, the violence associated with these groups played out in their home countries, and my peers and I often discussed how long will it be before the violence crosses over here. I’m glad things ended safely for you. Hopefully, it is many more years before the level of violence increases here.

Comments are closed.