Pro tip: If you’re planning to launch a debilitating denial-of-service attack against your former employer, try not to “like” the Facebook page of the DDoS-for-hire Web service that you intend to use in the assault.
Tell that to Kevin Courtois, a 28-year-old from Three Rivers, Quebec who was arrested earlier this year for allegedly launching a volley of cyber attacks against his former company over a nine month period beginning in May 2012. Courtois did not respond to requests for comment.
Courtois’s former employer — Concepta Inc., an information security firm based in his hometown — was not the only one suffering from attacks. The assaults — which ranged in size from a few gigabits per second to up to 10 gbps — grew so large that they began significantly affecting Concepta’s Internet service provider — another Three Rivers company called Xittel. Eventually, the attacks shifted to targeting Xittel directly.
Xittel later hired Robert Masse, a security consultant from Montreal who spoke about the details of this case in a talk at the Black Hat security conference in Las Vegas last month. Xittel and Concepta compared notes and told Masse they’d settled on Cortois as the likely culprit. One potential clue: Cortois had left Concepta to start his own company that specialized in DDoS protection services.
Masse said when he began his investigation he noticed that Courtois had liked the Facebook page of demolitionstresser.com, a now defunct booter site that redirected him to….wait for it…ragebooter.net. For those of you who haven’t read my story on ragebooter.net and its proprietor Justin Poland, please check it out after reading this piece. In that story, Poland claimed to have been working for the FBI, and even to have backdoored his own service so that FBI agents could snoop on user activity.
Masse said he decided to contact Poland to see what he might be willing to disclose about any ragebooter.net customer who’d been using the service to launch attacks against Concepta and Xittel. Masse said he created an account at ragebooter.net, funded it with $200 via the site’s default payment method — Paypal — and then reached out to Poland via his support handle in Skype. Would Poland be willing to sell the logs of a particular customer? Say….anyone who happened to be currently using ragebooter to attack a certain Internet address block in Three Rivers, Quebec?
According to Masse, Poland initially replied that, why yes, there was an attack going on that very moment against that IP address. “For sure, this morning,” Poland wrote in a Skype chat. “First attack November 25 (2012).” Masse said Poland then pasted the account information for a user named…wait for it…”concepta2.” Concepta2 had signed up with ragebooter using the email address traverse2000@hotmail.com, according to the Ragebooter.net users database that was leaked earlier this year. A historic reverse WHOIS record lookup at domaintools.com, that email address was used to register at least 36 different Web sites, most of them originally registered to a Kevin Courtois from Quebec.
Masse said Poland quickly thought better of posting his customers’ information in a Skype chat with a stranger, and deleted the message a few seconds after he’d pasted it. But Masse was able to retrieve a copy of the message by dumping the memory cache for his Skype client on his OS X machine.
Masse also discovered that a person using the nickname “concepta” had posted on hackforums.net that he was looking to hire a DDoS botnet. With this and other information, Masse was able to get a civilian search warrant to seize and search the computers at Courtois’s residence. But Masse said when he arrived at Courtois’s home with local gendarmes, a bailiff and a locksmith, they found Courtois unbothered by the intrusion, almost like he was expecting it.
Masse and his employer maintain that Courtois had already hacked his former boss’s computer, and so knew in advance the day and the hour that the authorities were coming for him and his stuff.
“What’s funny is when we went to seize the hard drive, he didn’t look surprised because he hacked into the president of the company, so he knew that we were coming,” Masse said. “The funny part is that while he used data wiping software to wipe his drive, he only wiped the free space, but didn’t wipe his backups. That guy thought he was so smart, you should have seen the smirk on his face.”
Courtois was arrested for unauthorized computer use and for mischief to data. His trial is ongoing.
Heads-up: the English-speaking world in Canada doesn’t call it “Three Rivers”, we still call it Trois-Rivières.
Cow in trouble: It would Be-hoove him to to pay protection to the Moofia or a Cowtastrophe might occur.
Yaaaaay!
Thanks,………we need more puns, please,
Thank you. I was about to say the same thing. My ears are itchy after hearing “Three Rivers” and I’m an Anglophone, too. You’ll never guess what we Notre Dame. 🙂
It a catastrophe . My milk has gone sour .Can we Dddos my old farmer !? I pay you in milk .I still have 40 gallons in my fridge you know . Please help me . Moooo.
Moo. Moo moooo moomoo. Moooo moo mooo moo? ahhahaha
We need some “cybercrime” version of these ‘Darwin Awards’ I think.
I vote this becomes a new category/tag.
I second this.
Sounds like a plan. A Darwin Awards category sounds great. Heaven knows there are enough of those who deserve nominations.
Pwnie Awards already have a category for “Lamest Vendor Response”. “Lamest cybercrime” would be a logical addition.
“The funny part is that while he used data wiping software to wipe his drive, he only wiped the free space, but didn’t wipe his backups. That guy thought he was so smart, you should have seen the smirk on his face.”
– This is the best part… Brilliant.
I love reading every single new post from your blog.
It is very very valuable information, and what I like the most is you tell in detail, so I can get the whole picture.
Sometime, it looks like I’m reading somekind of detective novel. 🙂
Thank you.
Can anyone elaborate on how Mr. Massey “was able to retrieve a copy of the message by dumping the memory cache”? That sounds like a neat trick…
More than likely he brought in a laptop with a forensics kit on it. The abuser didn’t even think to shut the computer down, probably didnt even log off.
I am not sure of the software they would have used, but I would think it would be ENCASE forensics, Olly Debug, IDA Pro or something similar that was used.
Most use a suite of tools, but the ENCASE style products can retrieve alot of data.
More than likely it was ENCASE, FTK or similar. As for the memory cache itself it could have been that he didn’t log out and the live memory was dumped, or the hyperfil.sys. However it is more likely he just didn’t know about the Skype logs, which would have been stored in the backups under the userdata.
Hey guys, Rob here.
Much simpler to get the memory – I used OSXPMEM. I didn’t want to image my workstation and Encase it and needed a simple solution.
https://twitter.com/rob_masse
🙂 awesome
IT (engineer like qualities)+(higher) IQ = Brilliant.
(seriously) Lack one of those and the thought process not be the best. Backing up evidence that can be used against you is nothing less than a pure retardation move.
One would think, if your going to do things that aren’t the best in the world of IT, you would have a workstation/laptop with a removable drive. Why sit back and think you have a solution when there are alot more people and services out there that can out smart most.
I was going to post some of the “solutions” that I have seen to make evidence gathering a living hell, but decided against it.
I have seen, and heard of a lot of solutions to avoid the reuse of information and some of the “solutions” either worked perfectly, or failed miserably.
And this guy was going to host a business? I guess most of his fall back plans most of had 1 or 2 steps – maybe 3 at most, then he gets confused. Some people are just not cut out for an IT position, and IMO, this guy seems to be one of them.
One simple three letter word comes to mind for his immediate reaction to them finding the data untouched.
DOH !
Yeah it’s pretty mind boggling to me that he signed up for the ddos service with an email he’s used in the past tied to his offline identity. And he works in infosec
Also interesting how forthcoming/cooperative the ddos service provider was
You’d be amazed at how often the miscreants do this. Or they use something tied to a social media site…with their full name. They’re as lazy as the next person.
Just goes to show there is no honor among thieves.
And you know that Courtois means courteous, mannerly…
Excellent read! I feel like there should be a cyber crime version of “The World’s Dumbest Criminals” from stories this good.
Side note: you use “Masse” in the first few paragraphs before it switches to “Massey.” Took me a minute to figure out.
Remember boys and girls… when using drive/data wiping software remember you have the correct settings at all times so you can wipe the correct data you mean too, not everything BUT the data … silly
PS – never keep a backup of your black hat system … just sayin… LOL
Very funny, would have loved to see his face after the cops told him what he did… better than the smirk… would be a great picture to submit as Exhibit A in trial… “your honor, want to put on record the defendants face when we told him he was not that bright on settings when trying to wipe data” … 🙂
Nice! hahah Some of these guys are too arrogant for their own good.
Great article – thanks for sharing.
In the 9th paragraph, second sentence – may want to add a “d” to the 3rd word. “With this and . . .”
Hi
The Blackhat presentation can be downloaded here, lots more screenshots and details:
https://media.blackhat.com/us-13/US-13-Masse-Denial-of-Service-as-a-Service-Slides.pdf
Rob
https://twitter.com/rob_masse
Ha, he deserves to be caught if he can’t even wipe his hard drive correctly.
Technically he did wipe his hard drive correctly… he just didn’t destroy his backups. Which is even more of a dunderheaded move than attacking a former/current employer (if anyone wants continued employment in the IT field… never do that).
“With this an other information”
nice typo
*DDOS = Distributed Denial of Service
Definitely not one of the smartest ways to do this, don’t want to be leaving any footprints.
Careless and foolish of the cyber criminal to like the site on facebook doing the DDOS attacks .
Just goes to show you human error and deductive reasoning is still the best method of catching criminals.
Find out who has a motive and check them out.
BWAHAHAHAHAHAHAHAHAHAAHAHA!!!!!!! 😀 :v
Early CIA efforts focused on LSD, which later came to dominate many of MKUltra’s programs. Technical Services Staff officials understood that LSD distorted a person’s sense of reality, and they felt compelled to learn whether it could alter someone’s basic loyalties.[30] The CIA wanted to know if they could make Russian spies defect against their will and whether the Russians could do the same to their own operatives.[30]
say cia?
say nsa?
say fbi?
OPEN YOU EYES THEY COME
There are a number of interlocking systems, technologies and techniques which are currently being deployed against the citizens of the United States of America by certain segments of our national government.
First, there are literally COUNTLESS mind-control projects and sub-projects in operation at this time which target SPECIFIC subjects/victims in a variety of ways; using one or more of a number of technologies such as drugs, (ritual) psycho-sexual abuse, a vast panoply of different EM/RF mind control technologies, repetitive conditioning, hypnotic trance induction, and so on and on and on.
Reliable reports from MANY different sources indicate that as many as TEN MILLION individuals many be ACTIVE subjects/victims of these kinds of mind control activities, and huge quantities of hard documentation on a great many of these projects DOES exist.
However, in addition to these kinds of mind control operations, there are ALSO mind control and mind manipulation activities that target MASSES of people in large geographical regions at the same time. Indeed, there is VERY strong evidence that the operators of HAARP for example, have ever since HAARP’s earliest days intended that it be used for, among many other things, GLOBAL mind control.
There is in FACT much evidence to show that HAARP is NOW being used for just such utterly evil purposes by the United States federal government.
And yet somehow you’re so special that you escaped the mind control and are able to tell us all about it. Thank God for that!
mind control? hahah ya its called advertising and marketing. Its also called news media and you really eat it all up…
Holy shit ^
Did we notice how my name is marked out threw the whole image? This leads me to believe krebs is making up things again. However I care less the proof above is fake and not legitable.
Get a life krebs.
http://prntscr.com/1ms5t2
That photo shows no user with any ip he gave was blacklisted on my services.
On the contrary I say this was excellent IT work: up to date backups that can be used in case of primary storage loss.
Point take — Don1t forget to destroy your back up if you up to no good !!!
“Darwin Awards” require the recipient to die or at least to become incapable of breeding as a result of his special type of stupidity. Stupid cybercriminals tend to be the gift that keeps on giving, unfortunately. But we definitely need a tag for the stories of their adventures.
As far as Concepta, how did they hire this guy in the first place?
Nice investigation. Offering DDoS atacks and taking PayPal and using Skype seems strange …
“Vanity…my favorite sin” – Lucifer/Al Pacino, The Devil’s Advocate
Hey could you tell us how you went about doing the memory dump and decoding it?
Thanks,
Josh