31
Oct 16

Hackforums Shutters Booter Service Bazaar

Perhaps the most bustling marketplace on the Internet where people can compare and purchase so-called “booter” and “stresser” subscriptions — attack-for-hire services designed to knock Web sites offline — announced last week that it has permanently banned the sale and advertising of these services.

On Friday, Oct. 28, Jesse LaBrocca — the administrator of the popular English-language hacking forum Hackforums[dot]net — said he was shutting down the “server stress testing” (SST) section of the forum. The move comes amid heightened public scrutiny of the SST industry, which has been linked to several unusually powerful recent attacks and is responsible for the vast majority of denial-of-service (DOS) attacks on the Internet today.

The administrator of Hackforums bans the sale and advertising of server stress testing (SST) services, also known as "booter" or "stresser" online attack-for-hire services.

The administrator of Hackforums bans the sale and advertising of server stress testing (SST) services, also known as “booter” or “stresser” online attack-for-hire services.

“Unfortunately once again the few ruin it for the many,” LaBrocca wrote under his Hackforums alias “Omniscient.” “I’m personally disappointed that this is the path I have to take in order to protect the community. I loathe having to censor material that could be beneficial to members. But I need to make sure that we continue to exist and given the recent events I think it’s more important that the section be permanently shut down.”

Last month, a record-sized DDoS hit KrebsOnSecurity.com. The attack was launched with the help of Mirai, a malware strain that enslaves poorly secured Internet-of-Things (IoT) devices like CCTV cameras and digital video recorders and uses them to launch crippling attacks.

At the end of September, a Hackforums user named “Anna_Senpai” used the forum to announce the release the source code for Mirai. A week ago, someone used Mirai to launch a massive attack on Internet infrastructure firm Dyn, which for the better part of a day lead to sporadic outages for some of the Web’s top destinations, including Twitter, PayPal, Reddit and Netflix.

The Hackforums post that includes links to the Mirai source code.

The Hackforums post that includes links to the Mirai source code.

As I noted in last week’s story Are the Days of Booter Services Numbered?, many booter service owners have been operating under the delusion or rationalization that their services are intended solely for Web site owners to test the ability of their sites to withstand data deluges.

Whatever illusions booter service operators or users may have harbored about their activities should have been dispelled following a talk delivered at the Black Hat security conference in Las Vegas this year. In that speech, FBI Agent Elliott Peterson issued an unambiguous warning that the agency was prepared to investigate and help prosecute people engaged in selling and buying from booter services.

But it wasn’t until this month’s attack on Dyn that LaBrocca warned the Hackforums community he may have to shut down the SST section.

“I can’t image this attention is going to be a good thing,” Omni said in an October 26, 2016 thread titled “Bad things.” “Already a Senator is calling for a hearing on the Internet of Things [link added]. In the end there could be new laws which effect [sic] us all. So for those responsible for the attacks and creating this mess….you dun goofed. I expect a lot of backlash to come out of this.”

If LaBrocca appears steamed from this turn of events, it’s probably with good reason: He stands to lose a fair amount of regular income by banning some of the most lucrative businesses on his forum. Vendors on Hackforums pay fees as high as $25 apiece to achieve a status that allows them to post new sales threads, and banner ads on the forum can run up to $200 per week.

"Stickies" advertising various "booter" or "stresser" DDoS-for-hire services.

“Stickies” advertising various “booter” or “stresser” DDoS-for-hire services.

Vendors who wish to “sticky” their ads — that is, pay to keep the ads displayed prominently near or at the top of a given discussion subforum — pay LaBrocca up to $60 per week for the prime sticky spots. And there were dozens of booter services advertised on Hackforums.

Allison Nixon, director of security research at Flashpoint and an expert on booter services, said the move could put many booter services out of business.

Nixon said the average booter service customer uses the attack services to settle grudges with opponents in online games, and that the closure of the SST subforum may make these services less attractive to those individuals.

“There is probably a lesser likelihood that the average gamer will see these services and think that it’s an okay idea to purchase them,” Nixon said. “The ease of access to these booters services makes people think it’s okay to use them. In gaming circles, for example, people will often use them to DDoS one another and not realize they might be shutting down an innocent person’s network. Recognizing that this is criminal activity on the same level of criminal hacking and fraud may discourage people from using these services, meaning the casual actor may be less likely to buy a booter subscription and launch DDoS attacks.”

While a welcome development, the closure of the SST subforum almost seems somewhat arbitrary given the sheer amount of other illegal hacking activity that is blatantly advertised on Hackforums, Nixon said.

“It’s interesting the norms that are on this forum because they’re so different from how you or I would recognize acceptable behavior,” she said. “For example, most people would think it’s not acceptable to see booter services advertised alongside remote access Trojans, malware crypting services and botnets.”

Other questionable services and subsections advertised on Hackforums include those intended for the sale of hacked social media and e-commerce accounts. More shocking are the dozens of threads wherein Hackforums members advertise the sale of “girl slaves,” essentially access to hacked computers belonging to teenage girls who can be extorted and exploited for payment or naked pictures. It’s worth noting that the youth who was arrested for snapping nude pictures of Miss Teen USA Cassidy Wolf through her webcam was a regular user of Hackforums.

Hackforums users advertising the sale and procurement of "girl slaves."

Hackforums users advertising the sale and procurement of “girl slaves.”

Nixon said most Hackforums users are essentially good people who are interested in learning more about technology, security and other topics. But she said many of the younger, impressionable members are heavily influenced by some of the more senior forum participants, a number of whom are peddling dangerous products and services.

“Most of the stuff on Hackforums is not that bad,” Nixon said. “There are a lot of kids who are pretty much normal people and interested in hacking and technology. But there are also gangs, and there are definitely criminal organizations that have a presence on the forum that will try to enable criminal activity and take advantage of people.”

The removal of booter services from Hackforums is a gratifying development for me personally and professionally. My site has been under near-constant attack from users of these booter services for several years now. As a result, I have sought to bring more public attention to these crooked businesses and to the young men who’ve earned handsome profits operating over the years. Here are just a few of those stories:

Stress Testing the Booter Services, Financially

Are the Days of Booter Services Numbered?

Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years

Ragebooter: Legit DDoS Service, or Fed Backdoor?

DDoS Services Advertise Openly, Take PayPal

Booter Shells Turn Web Sites Into Weapons

Spreading the DDoS Disease and Selling the Cure

Lizard Stresser Runs on Hacked Home Routers

The New Normal: 200-400 Gpbs DDoS Attacks

Tags: , , , , , , , , , , , , , , , ,

33 comments

  1. IRS ITUNE cards

    Great article

  2. While it’s great that this site is taking action, I feel it’s only because they were directly tied to the botnet source. I am hopeful that other forums follow suit, but their incentive to do so isn’t as great.

  3. I think the reason they are closing out those areas is because of all the attention to them will bring in the FBI, etc. Once they start investigating the booters, they will not stop there and everyone there will be at risk. Good riddance.

  4. Heat is probably getting too close!

  5. While it will perhaps ‘steer’ some people away from this type of attack– the ones who DO support it– or make money from it– will start their own forums– or find other places to post / advertise. If they are drummed out of the “mainstream”– there is always the darkweb.
    So call me a cynic– the easiest way to defeat any obstacle is to go around it.
    I in NO way endorse this kind of activity– or support those who do. This is a minor setback for the bad guys–not the solution to the problem overall.

    I support you –and those like you, Brian because you help to keep the less tech-savvy among us informed about the dangers lurking in the shadows, online.
    Great information as always…

  6. This is a huge development in the stresser world. This was probably the largest market for stresser services. Only a handful of the stressers on Hackforums could really do any damage, but still. This is going to leave a hole in the market and I think a new more lawless and popular forum will rise, probably putting Hackforums out of business.

  7. Of course it is gratifying to see this action. Unfortunately, it does nothing to remediate the vast numbers of easily exploitable machines and devices that continue to be added to the Internet’s already vast supply, day by day. This is the more important problem to solve, and almost nobody is addressing it.

  8. Carve another notch on your keyboard Brian; another problem area bites the dust (for now). Every since this ioT malware hit, the internet has been slowing almost to dial-up speeds in my area. If it weren’t for your efforts, we would end up with an unusable important part of our lives.

    Kudos to you SIR!!

  9. Great article, and even better to see that this site continues to weather the storms.

    Agreement on universal standards regarding device security is possible… at least it will be when all manufacturers understand that their participation is required. However as long as security features are subjected to cost-cutting measures overseas, they probably aren’t too concerned.

  10. Robert Scroggins

    Good news! I imagine the attention brought by Brian Krebs also helped the owner in making this decision.

    This could signal the start of a better world wide web!

    Regards,

  11. This does help eliminate the availability of stressers but at the same time does not stop them

    Multiple Dark Web Markets offer the use of these stressers payment by Bitcoin only and what you do with the program is your business.

    Its a never ending battle against Cyber Crime, maybe the good side will win?

  12. LaBrocca should have left them alone. At least we knew where to find and monitor them. Instead, when he shuttered the SST forum, he just scattered them – until they find another place to live. And now the game of Whac-a-Mole starts.

  13. Hacking was old time story…. forums are closed security is tight.
    Its pointless waste of time!

  14. What are people who legitimately need to stress test their sites supposed to do? Are there legitimate stress test services that try to verify that their services aren’t being used for nefarious purposes?

    • I can’t imagine a single valid use case for these “stress” testers. Companies would make this part of their research on their appropriate hoster and any really big or targeted company will pay an independent test lab to do their testing.

    • Matt K:
      There are plenty of legitimate web site performance and monitoring services. Check Google. They don’t need to advertise on hacker forums. I am sure they have their a$$es covered legally and ensure you own the server being tested.

    • There are none. Absolutely nobody legitimately “stress tests” their services in this fashion. Anyone who has a legitimate need to test their services against a volumetric attack will do so in a testing environment over a private network, not the public Internet.

  15. cat & paste
    right-click, rename

    Whatever this may look like, don’t be fooled. This does not translate to “gone”.

    We shall see.

  16. Were their any firefighters at the Library at Alexandria? Brian your Journalism shines a light on the arsonist among us, free & open access to information for all of us is at risk. The Web is the driver now of Human progress. Just a User who see’s the difference. Old age brings reflection & enlightenment.

  17. Like, another said, now they go underground. Now, you have no known link to the black hats. Where do you go? To find their next form of attack? Sun su said know your foe, that includes where to find them, and how to fight them. They have disappeared, not died, fallen back to regroup. Where?

  18. FYI Brian, minor misspelling in the line “Most of the stuff on Hackforuns is not that bad” – you’ve got an “n” instead of an “m” there.

    Anyway, excellent article. I need to buy stocks in popcorn manufacturers for all the enjoyment we’re getting over watching the backlash in the blackhat hacking community following your DDoSing.

    Shockingly, the whitehats don’t take kindly to script kiddies targeting one of their own, and have far more resources to do something about it. I haven’t had this much fun since the downfall of Prenda.

  19. Hackforuns knows that they are going to get hammered with one of these: ” Interrogatory and Document Request… Attorney General..seeks information or documents…”

    By shutting down the booter section, that will make it easier to respond to a targeted law enforcement request. If Hackforuns is lucky, the request will be specific to that one section. That’s probably the motivation here. Otherwise, Hackforuns could get a “open the kimono” experience.

  20. Nixon is too flattering. A very large number of the members at this site are misfits that are socially inept and seeking acceptance online they cannot get elsewhere. It is sad but if their type were not put down and excluded in middle school and high school they would not be seeking acceptance online and as a result be vulnerable to the crooks that prey on them. Too much of what they do is a result of this need for acceptance in the physical world.

  21. The concept of extorting young women in such a manner disgusts me beyond all belief. These people should be hunted and have their homes burned. Absolute Machiavellian infiltration followed by total war. This is unbelievable.

  22. It just struck me: what we’re looking at are two kinds of parasites. The “intelligent” one, that feeds off its host, and can reach a level of stability. (Back when I was first studying programming, you could always tell when my instructor was teaching Fortran – middle of the term, he’d always assign the problem of simulating fleas on a dog: at what point does the dog scratch the fleas, at what point do the fleas scratch the dog, and at what point to the reach an uncomfortable survivable level.)

    The stressors are the stupid parasites, that kill the host… leaving themselves nothing to feed on.

  23. The sale and advertising of these websites should be banned. Companies like this are dangerous and what’s wrong with the internet today…

  24. LOL @ the optimists here. Yes these script kiddies not being able to DoS other players they’re mad at for being better than them is really gonna save the internet!

    haha this is completely irrelevant, there’s this tool called Google. It’s a lot better at finding you a booter service and a forum with a bunch of kids dreaming about banging Angelina Jolie in Hackers.

  25. Anna-Senpai seems back!

    Mirai runs hidden behind a new network prefix at dataflow.su
    Read how we discovered where one of the Mirai C2 is hidden and how new network prefixes and fake ASNs are used by bulletproof hosters. Check how routing announcements are pushed from hidden locations, RIPE objects are created with fake documents and how a “grocery store” got the IP space!

    http://www.spoofit.org/mirai-hidden-behind-dataflow/

  26. That’s a skillful answer to a dicufiflt question

  27. It’s very surprising to me that running a site like Hackforums seems to be perfectly legal as it stays online and mr. LaBrocca is not arrested despite not hiding his identity in any way.

    Obviously, he is closing the “booter” section to avoid extra attention by law enforcement, but the site is surely full of other less-than-legal stuff going on.

  28. Hi everyone~ Just to be clear – we aren't in this for the 100 days straight, and I didn't read the book. I read an article about the book which inspired me to ask the Lord to show us how we could bless our marriage in a similar way. He led us to set a goal of 4-5 days out of 7. That gave us room to rest, and to adjust for the monthly cycle. I'm not endorsing this book, or 100 days straight. My point in this is that making the commitment to each other to connect this way on a consistent and regular basis has been the blessing to our marriage.Blessings to each of you Engedis…Jennifer