December 13, 2016

Federal investigators in the United States and Europe last week arrested nearly three-dozen people suspected of patronizing so-called “booter” services that can be hired to knock targeted Web sites offline. The global crackdown is part of an effort by authorities to weaken demand for these services by impressing upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.

On Dec. 9, 2016, the U.S. Federal Bureau of Investigation (FBI) arrested Sean Sharma, a 26-year-old student at the University of California accused of using a booter service to knock a San Francisco chat service company’s Web site offline.

Sharma was one of almost three dozen others across 13 countries who were arrested on suspicion of paying for cyberattacks. As part of a coordinated law enforcement effort dubbed “Operation Tarpit,” investigators here and abroad also executed more than 100 so-called “knock-and-talk” interviews with booter buyers who were quizzed about their involvement but not formally charged with crimes.

Netspoof's DDoS-for-hire packages. Image: Samsclass.info.

Netspoof’s DDoS-for-hire packages. Image: Samsclass.info.

Stresser and booter services leverage commercial hosting services and security weaknesses in Internet-connected devices to hurl huge volleys of junk traffic at targeted Web sites. These attacks, known as “distributed denial-of-service” (DDoS) assaults, are digital sieges aimed at causing a site to crash or at least to remain unreachable by legitimate Web visitors.

“DDoS tools are among the many specialized cyber crime services available for hire that may be used by professional criminals and novices alike,” said Steve Kelly, FBI unit chief of the International Cyber Crime Coordination Cell, a task force created earlier this year by the FBI whose stated mission is to ‘defeat the most significant cyber criminals and enablers of the cyber underground.’ “While the FBI is working with our international partners to apprehend and prosecute sophisticated cyber criminals, we also want to deter the young from starting down this path.”

According to Europol, the European Union’s law enforcement agency, the operation involved arrests and interviews of suspected DDoS-for-hire customers in Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom, and the U.S. Europol said investigators are only warning one-time users, but aggressively pursuing repeat offenders who frequented the booter services.

“This successful operation marks the kick-off of a prevention campaign in all participating countries in order to raise awareness of the risk of young adults getting involved in cybercrime,” reads a statement released Monday by Europol. “Many do it for fun without realizing the consequences of their actions – but the penalties can be severe and have a negative impact on their future prospects.”

The arrests stemmed at least in part from successes that investigators had infiltrating a booter service operating under the name “Netspoof.” According to the U.K.’s National Crime Agency, Netspoof offered subscription packages ranging from £4 (~USD $5) to £380 (~USD $482) – with some customers paying more than £8,000 (> USD $10,000) to launch hundreds of attacks. The NCA said twelve people were arrested in connection with the Netspoof investigation, and that victims included gaming providers, government departments, internet hosting companies, schools and colleges.

The Netspoof portion of last week’s operation was fueled by the arrest of Netspoof’s founder — 20-year-old U.K. resident Grant Manser. As Bleeping Computer reports, Manser’s business had 12,800 registered users, of which 400 bought his tools, launching 603,499 DDoS attacks on 224,548 targets.

Manser was sentenced in April 2016 to two years youth detention suspended for 18 months, as well as 100 hours of community service. According to BC’s Catalin Cimpanu, the judge in Manser’s case went easy on him because he built safeguards in his tools that prevented customers from attacking police, hospitals and government institutions.

ANALYSIS

As a journalist who has long sought to expose the booter and stresser industry and those behind it, this action has been a long time coming. The past three to four years have witnessed a dramatic increase in the number and sophistication of booter services.

In September 2016, this site was the recipient of a record-sized DDoS attack that knocked this site offline for several days. The attack came hours after a story I wrote about the now-defunct booter service vDOS was punctuated by the arrest of two 18-year-old Israeli men allegedly tied to the business. I was able to track them down because vDOS had been massively hacked, and huge troves of data from the service’s servers were shared with KrebsOnSecurity.

vDOS had been in business for four years, but records about how much the business made were incomplete; only two years’ worth of DDoS customer data was available (the rest had apparently been wiped from the server). But in that two years, the records showed that more than 150,000 customer paid in excess of $600,000 to launch DDoS attacks on targeted sites.

The vDos home page.

The vDos home page.

The demise of vDOS exposed a worrying trend in DDoS-for-hire attack services: The rise of hyper-powered booter services capable of launching attacks that can disrupt operations at even the largest of Web sites and hosting providers.

Hours after the Septemeber attack swept KrebsOnSecurity offline, the same attackers hit French hosting giant OVH with an even larger DDoS-for-hire attack. On Oct. 21, 2016, Internet infrastructure provider Dyn was hit by a very similar attack. All three attacks involved collections of hacked computers powered by DDoS-based malware called “Mirai.” This malware doesn’t infect Windows computers, but instead worms its way into Linux-based systems that run on many consumer hardware products like wireless routers, security cameras and digital video recorders that are left operating in factory-default (insecure) settings.

Security experts say the crime machine that caused problems for Dyn was not the same one that was used to knock my site offline in September. That’s because at the beginning of October the miscreant responsible for creating Mirai leaked the source code for the malware online. Since then, dozens of new Mirai robot networks or “botnets” have been spotted being used to launch cyberattacks — including the one used to attack Dyn. And in some cases, the criminals at the helm of these weapons of mass disruption are renting out “slices” or shares of the botnet to other crooks, typically at the rate of several thousand dollars per week.

I applaud last week’s actions here in the United States and abroad, as I believe many booter service customers patronize them out of some rationalization that doing so isn’t a serious crime. The typical booter service customer is a teenage male who is into online gaming and is seeking a way to knock a rival team or server offline — sometimes to settle a score or even to win a game. One of the co-proprietors of vDos, for example, was famous for DDoSsing the game server offline if his own team was about to lose — thereby preserving the team’s freakishly high ‘win’ ratios.

But this is a stereotype that glosses over a serious, costly and metastasizing problem that needs urgent attention. More critically, early law enforcement intervention for youths involved in launching or patronizing these services may be key to turning otherwise bright kids away from the dark side and toward more constructive uses of their time and talents before they wind up in jail. I’m afraid that absent some sort of “road to Damascus” moment or law enforcement intervention, a great many individuals who initially only pay for such attacks end up getting sucked into an alluring criminal vortex of digital extortion, easy money and online hooliganism.


22 thoughts on “‘Operation Tarpit’ Targets Customers of Online Attack-for-Hire Services

    1. Gary Adams

      Bravo! About time, keep it going. We must also start rating manufacturers who do not secure their products or support them in the long run. Additionally efforts are needed to develop standards for that will make it easier for the average user to secure and update home routers and IoT devices.
      G.

  1. IRS iTUNE cards (real)

    Thanks for posting this article, time to go do Microsoft security updates !

  2. Steve

    Nice article Brian. Thank you. I think there may be a typo in your report: “that knocked the(this) site offline for several days. The attack came hours (after) a story “

    1. IRS iTUNE cards (real)

      “With a little help from his friends ” :–)

  3. Bart

    Brian wrote: “..hiring someone to launch cyberattacks on your behalf can land you in jail.”

    But will it land anyone in jail?

    1. Jeff

      > But will it land anyone in jail?

      Even if it doesn’t, you won’t be able to get the necessary paperwork (indicating a ‘clean’ record) when a future employer asks you for it. And many governments, financial institutions and reputable security companies require these to be present before you can be enrolled in a job or function. Thus one court ruling could ruin someone’s career opportunities.

  4. Jewtopia

    There be your justice, Krabs!
    Hapy Holidas, enhoy your present new early!

  5. rich

    Excellent news if these people are starting to feel some heat.

    The USA needs to take the lead in identifying, extraditing and prosecuting people who run these services.

    If the UK and the rest of Europe do identify someone who runs a booter service, after a million pound investigation, they will get a small fine or a six months suspended sentence and walk away laughing.

    But if the US gets hold of them and prosecutes them then 250 months of hard federal time beckons!

  6. Tom

    I worked with a YouTube star that was knocked offline by DDOS. It was a “fan” who wanted to see if he could do it. He apologized and went away but he shut down $1.5M revenue stream for the star. Sometimes gamers lose their temper when they keep getting beat. I think the “fan” felt like the star was a friendly target who wouldn’t react like an Enterprise would with a full-time security team. It is sad it is so easy to be so destructive, and so appealing to some of society. Anyway, thanks for the good reporting as always.

  7. Hai Phan

    How about this? We put into law mandating the death penalty for running booter services. But the law will apply only to future offenders. Booter services that shutdown before the law’s effective date will be excused.

  8. Gordon Walker

    As someone who enjoys the occasional online gaming session, I find it absolutely pathetic that these folks are willing to go this far over something so inconsequential. Real gamers win with skill, not by DDoS. It is usually a lot more gratifying winning through legitimate means as well.

  9. gono

    Ahhh
    And all this dirty money is mostly loundred by billionaires in real estate in london and new york.
    And thanks to bitcoins criminals can work better now.
    And dont tell me guys you did not know bitcoins maded by rotchilds

  10. Rohit

    There is a weak link in all this, the ISP’s. I report multiple abuses to various ISP’s every day and only 7-10% of the ISP’s respond and only 2% take action Unless ISP’s are forced to act on abuse reports, this problem will remain.

  11. reader_001

    Paragraph 6 – Is it meant to say Australia or Austria? It seems strange that europol would comment about a country on the other side of the world

  12. Fraxinus

    “were quizzed about their involvement but not formally charged with crimes”

    Am I the only one thinking that this is an example of the FBI wasting resources and behaving like a gang punishing competing wannabe gangsters?

    If there is a law that can put these people in jail – go for it. If there is no way and they know that beforehand this is a clear abuse of power that should not be tolerated.

  13. Damian Mccan

    I was curious if you ever considered changing the layout of your site? Its very well written; I love what youve got to say. But maybe you could a little more in the way of content so people could connect with it better. Youve got an awful lot of text for only having one or 2 images. Maybe you could space it out better?

  14. cnorca

    I am totally fine with the missing “Southern” between “University of” and “California”, because I was a Trojan and it’s kind of a shame that some alumni did that…

Comments are closed.