Pro tip: If you’re planning to launch a debilitating denial-of-service attack against your former employer, try not to “like” the Facebook page of the DDoS-for-hire Web service that you intend to use in the assault.
Tell that to Kevin Courtois, a 28-year-old from Three Rivers, Quebec who was arrested earlier this year for allegedly launching a volley of cyber attacks against his former company over a nine month period beginning in May 2012. Courtois did not respond to requests for comment.
Courtois’s former employer — Concepta Inc., an information security firm based in his hometown — was not the only one suffering from attacks. The assaults — which ranged in size from a few gigabits per second to up to 10 gbps — grew so large that they began significantly affecting Concepta’s Internet service provider — another Three Rivers company called Xittel. Eventually, the attacks shifted to targeting Xittel directly.
Xittel later hired Robert Masse, a security consultant from Montreal who spoke about the details of this case in a talk at the Black Hat security conference in Las Vegas last month. Xittel and Concepta compared notes and told Masse they’d settled on Cortois as the likely culprit. One potential clue: Cortois had left Concepta to start his own company that specialized in DDoS protection services.
Masse said when he began his investigation he noticed that Courtois had liked the Facebook page of demolitionstresser.com, a now defunct booter site that redirected him to….wait for it…ragebooter.net. For those of you who haven’t read my story on ragebooter.net and its proprietor Justin Poland, please check it out after reading this piece. In that story, Poland claimed to have been working for the FBI, and even to have backdoored his own service so that FBI agents could snoop on user activity.
Masse said he decided to contact Poland to see what he might be willing to disclose about any ragebooter.net customer who’d been using the service to launch attacks against Concepta and Xittel. Masse said he created an account at ragebooter.net, funded it with $200 via the site’s default payment method — Paypal — and then reached out to Poland via his support handle in Skype. Would Poland be willing to sell the logs of a particular customer? Say….anyone who happened to be currently using ragebooter to attack a certain Internet address block in Three Rivers, Quebec?
According to Masse, Poland initially replied that, why yes, there was an attack going on that very moment against that IP address. “For sure, this morning,” Poland wrote in a Skype chat. “First attack November 25 (2012).” Masse said Poland then pasted the account information for a user named…wait for it…”concepta2.” Concepta2 had signed up with ragebooter using the email address email@example.com, according to the Ragebooter.net users database that was leaked earlier this year. A historic reverse WHOIS record lookup at domaintools.com, that email address was used to register at least 36 different Web sites, most of them originally registered to a Kevin Courtois from Quebec.
Masse said Poland quickly thought better of posting his customers’ information in a Skype chat with a stranger, and deleted the message a few seconds after he’d pasted it. But Masse was able to retrieve a copy of the message by dumping the memory cache for his Skype client on his OS X machine.
Masse also discovered that a person using the nickname “concepta” had posted on hackforums.net that he was looking to hire a DDoS botnet. With this and other information, Masse was able to get a civilian search warrant to seize and search the computers at Courtois’s residence. But Masse said when he arrived at Courtois’s home with local gendarmes, a bailiff and a locksmith, they found Courtois unbothered by the intrusion, almost like he was expecting it.
Masse and his employer maintain that Courtois had already hacked his former boss’s computer, and so knew in advance the day and the hour that the authorities were coming for him and his stuff.
“What’s funny is when we went to seize the hard drive, he didn’t look surprised because he hacked into the president of the company, so he knew that we were coming,” Masse said. “The funny part is that while he used data wiping software to wipe his drive, he only wiped the free space, but didn’t wipe his backups. That guy thought he was so smart, you should have seen the smirk on his face.”
Courtois was arrested for unauthorized computer use and for mischief to data. His trial is ongoing.