13
Dec 14

SpamHaus, CloudFlare Attacker Pleads Guilty

A 17-year-old male from London, England pleaded guilty this week to carrying out a massive denial-of-service attack last year against anti-spam outfit SpamHaus and content delivery network CloudFlare, KrebsOnSecurity has learned.

narko-stophausIn late March 2013, a massive distributed denial-of-service (DDoS) attack hit the web site of SpamHaus, an organization that distributes a blacklist of spammers to email and network providers. When SpamHaus moved its servers behind CloudFlare, which specializes in blocking such attacks — the attackers pelted CloudFlare’s network. The New York Times called the combined assault the largest known DDoS attack ever on the Internet at the time; for its part, CloudFlare dubbed it “the attack that almost broke the Internet.”

In April 2013, an unnamed then-16-year-old male from London identified only by his hacker alias “Narko,” was arrested and charged with computer misuse and money laundering in connection with the attack.

Sources close to the investigation now tell KrebsOnSecurity that Narko has pleaded guilty to those charges, and that Narko’s real name is Sean Nolan McDonough. A spokesman for the U.K. National Crime Agency confirmed that a 17-year-old male from London had pleaded guilty to those charges on Dec. 10, but noted that “court reporting restrictions are in place in respect to a juvenile offender, [and] as a consequence the NCA will not be releasing further detail.”

During the assault on SpamHaus, Narko was listed as one of several moderators of the forum Stophaus[dot]com, a motley crew of hacktivists, spammers and bulletproof hosting providers who took credit for organizing the attack on SpamHaus and CloudFlare.

WHO RUNS STOPHAUS?

It is likely that McDonough/Narko was hired by someone else to conduct the attack. So, this seems as good a time as any to look deeper into who’s likely the founder and driving force behind the Stophaus movement itself. All signs point to an angry, failed spammer living in Florida who runs an organization that calls itself the Church of Common Good.

cocg-fbNot long after McDonough’s arrest, a new Facebook page went online called “Freenarko,” which listed itself as “a solidarity support group to help in the legal defense and media stability for ‘Narko,’ a 16-yr old brother in London who faces charges concerning the Spamhaus DDoS attack in March.”

Multiple posts on that page link to Stophaus propaganda, to the Facebook page for the Church of the Common Good, and to a now-defunct Web site called “WeAreHomogeneous.org” (an eye-opening and archived copy of the site as it existed in early 2013 is available at archive.org; for better or worse, the group’s Facebook page lives on).

The Church of Common Good lists as its leader a Gulfport, Fla. man named Andrew J. Stephens, whose LinkedIn page says he is a “media mercenary” at the same organization (hours after this story was posted, large chunks of text were deleted from Stephens’ profile; a PDF of the original profile is here).

Stephens’ CV lists a stint in 2012 as owner of an email marketing firm variously called Digital Dollars and IBT Inc, moneymaking schemes which Stephens describes as a “beginner to intermediate level guide to successful list marketing in today’s email environment. It incorporates the use of both white hat and some sketchy techniques you would find on black hat forums, but has avoided anything illegal or unethical…which you would also find on black hat forums.”

More recent entries in Andrew’s LinkedIn profile show that he now sees his current job as a “social engineer.” From his page:

“I am a what you may call a “Social Engineer” and have done work for several information security teams. My most recent operation was with a research team doing propaganda analysis for a media firm. I have a unique ability to access data that is typically inaccessible through social engineering and use this ability to gather data for research purposes. I have a knack for data mining and analysis, but was not formally trained so am able to think outside the box and accomplish goals traditional infosec students could not. I am proficient at strategic planning and vulnerability analysis and am often busy dissecting malware and tracking the criminals behind such software. There’s no real title for what I do, but I do it well I am told.”

Turns out, Andrew J. Stephens used to have his own Web site — andrewstephens.org. Here, the indispensable archive.org helps out again with a cache of his site from back when it launched in 2011 (oddly enough, the same year that Stophaus claims to have been born). On his page, Mr. Stephens lists himself as an “internet entrepreneur” and his business as “IBT.” Under his “Featured Work” heading, he lists “The Stophaus Project,” “Blackhat Learning Center,” and a link to an spamming software tool called “Quick Send v.1.0.”

Stephens did not return requests for comment sent to his various contact addresses, although a combative individual who uses the Twitter handle @Stophaus and has been promoting the group’s campaign refused to answer direct questions about whether he was in fact Andrew J. Stephens.

Helpfully, the cached version of Andrewstephens.org lists a contact email address at the top of the page: stephensboy@gmail.com (“Stephensboy” is the short/informal name of the Andrew J. Stephens LinkedIn profile). A historic domain registration record lookup purchased from Domaintools.com shows that same email address was used to register more than two dozen domains, including stophaus.org and stopthehaus.org. Other domains and businesses registered by that email include (hyperlinked domains below link to archive.org versions of the site):

-“blackhatwebhost.com“;
-“bphostingservers.com” (“BP” is a common abbreviation for “bulletproof hosting” services sold to -spammers and malware purveyors);
-“conveyemail.com”;
-“datapacketz.com” (another spam software product produced and marketed by Stephens);
-“emailbulksend.com”;
-“emailbulk.info”;
-“escrubber.info” (tools to scrub spam email lists of dummy or decoy addresses used by anti-spam companies);
-“esender.biz”;
-“ensender.us”;
-“quicksendemail.com“;
-“transmitemail.com”.

The physical address on many of the original registration records for the site names listed above show an address for one Michelle Kellison. The incorporation records for the Church of Common Good filed with the Florida Secretary of State list a Michelle Kellison as the registered agent for that organization.

Andrew's Skype profile, where he uses another of his favorite nicknames, "eDataKing"

Andrew’s Skype profile, where he uses another of his favorite nicknames, “eDataKing”

Putting spammers and other bottom feeders in jail for DDoS attacks may be cathartic, but it certainly doesn’t solve the underlying problem: That the raw materials needed to launch attacks the size of the ones that hit SpamHaus and CloudFlare last year are plentiful and freely available online. As I noted in the penultimate chapter of my new book — Spam Nation (now a New York Times bestseller, thank you dear readers!), the bad news is that little has changed since these ultra-powerful attacks first surfaced more than a decade ago.

Rodney Joffe, senior vice president and senior technologist at Neustar –a security company that also helps clients weather huge online attacks — estimates that there are approximately 25 million misconfigured or antiquated home and business routers that can be abused in these digital sieges. From the book:

Most of these are home routers supplied by ISPs or misconfigured business routers, but a great many of the devices are at ISPs in developing countries or at Internet providers that see no economic upside to spending money for the greater good of the Internet.

“In almost all cases, it’s an option that’s configurable by the ISP, but you have to get the ISP to do it,” Joffe said. “Many of these ISPs are on very thin margins and have no interest in going through the process of protecting their end users— or the rest of the Internet’s users, for that matter.”

And therein lies the problem. Not long ago, if a spammer or hacker wanted to launch a massive Internet attack, he had to assemble a huge botnet that included legions of hacked PCs. These days, such an attacker need not build such a huge bot army. Armed with just a few hundred bot- infected PCs, Joffe said, attackers today can take down nearly any target on the Internet, thanks to the millions of misconfigured Internet routers that are ready to be conscripted into the attack at a moment’s notice.

“If the bad guys launch an attack, they might start off by abusing 20,000 of these misconfigured servers, and if the target is still up and online, they’ll increase it to 50,000,” Joffe said. “In most cases, they only need to go to 100,000 to take the bigger sites offline, but there are 25 million of these available.”

If you run a network of any appreciable size, have a look for your Internet addresses in the Open Resolver Project, which includes a searchable index of some 32 million poorly configured or outdated device addresses that can be abused to launch these very damaging large-scale attacks.

Tags: , , , , , , , , ,

31 comments

  1. Congrats on the NYT Best Seller list — #4 !!!! you must have had a VERY successful book tour in November. I know it had a great launch in Chicagoland….!

  2. Record back to 2011: http://usenetharvested.wordpress.com/tag/stophaus/

    At one time there were also ROKSO public records.

  3. I love it when the trail of breadcrumbs leads back to someone in the US. Hopefully enough to place handcuffs on him!

  4. According to Facebook Stephens now lives in a converted bus running other hilarious dead-end scams. Others you missed are Sven Olaf Kamphuis (although he denies being involved despite being a participant in stophaus) along with spammers and spam supporters from Russia, Florida, and Texas whose names will likely come out as the heat builds.

  5. Dr. Zackary Smith

    Real good investigative article

  6. Its all a bunch of miscreants who if not doing this would just be out raping and pillaging across the countryside. I’m not so sure you can stop theses people once they’ve found something they are good at and its up to the Internet to develop into a more robust structure instead. Not that you don’t put the few that you do catch away for a while.

  7. Brian, why has the title of the article changed from the one I received in my subscriber email?

  8. Michelle Kellison is the common-law-wife of Andrew Jacob Stephens. SpamDrew he uses her to register his various shill, err shell companies.

    http://search.sunbiz.org/Inquiry/CorporationSearch/SearchResults/OfficerRegisteredAgentName/KELLISON%20MICHELLE/Page1

  9. Holy God, that was an impressive article, lol!

    I’ve never seen any website writes such a detailed report. This is awesome.

    Most of them are like “the correspondent said, and the officials said”. Not a single extra click of their own efforts.

    Thank you, sir, for delivering such an enticing read.

  10. Sounds like we need to set up a system of “fuses” to make sure that any such attack will knock out the connections between irresponsible ISPs (and/or nations) and the rest of the internet before it knocks out the internet as a whole. (But I don’t know enough about the large-scale structure involved to say whether that is actually plausible. I’m guessing if we can’t even implement RPKI to prevent route hijacking, we probably can’t do this either.)

  11. The eye-opener to me was not the “We Are Homogeneous” website, but the “My Story” page of Mr. Stephens’ own website, as cached on archive.org. It is a sad, sad history going back literally to his infancy. Combine that with the LinkedIn profile that Brian has cached here, and I’m not surprised that Mr. Stephens is now “living in a converted bus.” Put it all together, and I seriously doubt that this gentleman [?] was ever able to hire anyone, in London or elsewhere, to conduct a DDoS attack on Spamhaus. Perhaps there was someone else involved?

    I know that there is a lot of money to be made through the seedy side of the internet, but it doesn’t look like much of that money has reached, or ever will reach, the sunny shores of Gulfport, Fla.

    Also note that the corporate entities of the Church of Common Good and of the Homogenous Party, as well as a scooter business registered to Ms. Kellison, have been dissolved by the state of Florida due to failure to submit basic paperwork.

  12. Great investigative journalism as usual Brian, let’s hope Andrew Stephens gets what he deserves.

  13. Hello, just wanted to check that the URL is correct? As far as I was aware, the original charges were for computer misuse, fraud and money laundering offences?

  14. It will never cease to amaze me how many of these criminals end up in jail or with a criminal background. Another is branded as one not to trust.

    If they do it for the publicity, they simply crumble when the Feds stare them in the eye and say, you can have a trial and face 10+ years or, you can admit your guilt and get 1/3 to 1/2 of that, maybe even parole, if you spill your guts on everything you know.

    We’ve seen what other big shot cyber criminals have done to literally “save their behind” from serving hard time. They sing like canaries once the cold hard facts – and a jail cell is in their near future.

    Now the individual cannot be trusted on the good or dark side.

  15. Cloudflare gave a good presentation at Blackhat on the amplification attack that hit Spamhaus and ran down the how and the why of the attack and how their network by design de-amplified the traffic flood.

    I use that code and technique along with Open Resolver to check hosting providers prior to going with them. What sticks out to me is the disconnect between the contracting tenant who is reselling the hosting service and the data center who run the physical location. While the number of data points I have is small it seems that the tenant believed that the data center should be responsible for incoming data links and never checked that they were configured properly. It has occurred enough that it is worth screening hosters for.

    In one instance the company point person for their datacenter operations was a former military logistician, while excellent at procurement and details of contracts he had no background in IT, and it became apparent the company viewed their datacenter ops as a cost to be managed vs SAAS because they had default configurations and no on team security expert, only their own software experts. Just my 2 cents.

  16. Google image search for Michelle Kellison brings one image that looks like Andrew (as shown on the PDF of his profile) and a woman here: https://www.momtrusted.com/parents/17158

    On LinkedIn, here is an image of what appears to be the same woman who works for IBT, Inc. (a company mentioned in the story): https://www.linkedin.com/pub/michelle-kellison/43/141/983

  17. Nice work Brian, the stuff I love to read!

    Here is what is on the twitter page for the guy now:

    In preparation for a civil complaint against @briankrebs, we encourage other parties who have been libeled by this person to contact us.
    10:57 AM – 15 Dec 2014

    • Yes, Mr. Stephens frequently confuses “libel” with facts that he wishes were not true and/or not public.

      • Terry Middlebrook

        LOL! Brian, sometimes you just crack me up. How accurate yet succinct…

      • But…but…. You cant use my secrets even if i put my super secretz online.
        I…i.. Will tell someone maybe a cool guy from the cool blakhat site I know
        yeah he will listen to me

  18. Great article. I get the impression that if the Internet had not come along, with its unfortunate tolerance of scammers, Mr. Stephens and his ilk would be running sidewalk shell games and smoking cigarette butts. Bottom-feeders are bottom-feeders, regardless of any technical ability.

  19. It’s good that you decided to drop the salacious charge (against Narko) from the story, but I question why the minor’s real name is journalistically relevant. His home country has decided not to reveal it. Hackers’ real names aren’t important, anyway, as they sign their “work” by pseudonym.

  20. Bye Bye Sean!

    I hope you get the maximum sentence we can throw at you.

  21. This is crazy. I signed up with Cloudfare 2 weeks ago and since then our website have been found with spamming referalls……DO NOT USE THEM! however it could be statcounter too. I Do not trust ANY site on internet anymore

  22. I guess this is what alot of posters say about teaching your children. I mean hes only 16 its true, I dunno.

    I wish they would teach the ones that play video games about how to treat a video game with the same respect they would any sport or game in a public park. Noone needs a computer program to tell them human nature.

  23. We absolutely love your blog and find the majority of your post’s to be exactly I’m looking for.
    Does one offer guest writers to write content for you personally?
    I wouldn’t mind publishing a post or elaborating on a number
    of the subjects you write regarding here. Again, awesome blog!