Posts Tagged: SWATing


17
Apr 13

SWATting Incidents Tied to ID Theft Sites?

Many readers have been asking for an update on the “SWATting” incident at my home last month, in which someone claiming to be me fraudulently reported a home invasion in progress at my address, prompting a heavily armed police response. There are two incremental developments on this story. The first is I’ve learned more about how the hoax was perpetrated. The second is that new clues suggest that the same individual(s) responsible also have been SWATting Hollywood celebrities and posting their personal information on site called exposed.re.

The day before my SWATting, I wrote a story about a site called exposed.su, which was posting the Social Security numbers, previous addresses, phone numbers and other sensitive information on a slew of high-profile individuals, from the director of the FBI to Kim Kardashian, Bill Gates and First Lady Michelle Obama. I wrote about the site by way of explaining that — as painful as it may be to admit — this information should no longer be considered private, because it is available quite cheaply via a number of shady services advertised in underground cybercrime forums.

After migrating the data from Exposed.su to Exposed.re, the curator added [Swatted] notations.


[Swatted] notations were added to celebrity names after Exposed.su became Exposed.re

To illustrate this reality, I pointed to one underground site in particular — the now-defunct ssndob.ru (it is now at another domain) — that could be used to pull all of this information on just about anyone, including all of those whose information was listed at the time on exposed.su. In a follow-up investigation I posted on Mar. 18, 2013, I cited sources who claimed that the DDoS against my site and the simultaneous SWATting attack on my home was in retaliation for my writing about ssndob.ru, which allegedly some of those involved in the attacks prized and did not wish to see shuttered.

Specifically, two different sources placed blame for the attacks on a young hacker named “Phobia,” who they said was part of a group of Xbox gaming enthusiasts who used ssndob.ru to look up Social Security numbers belonging to high-value Xbox account holders — particularly those belonging to Microsoft Xbox Live employees. Armed with that information, and some social engineering skills, the hackers could apparently trick Microsoft’s tech support folks into transferring control over the accounts to the hackers. “I heard he got pissed that you released the site he uses,” one of the sources told me, explaining why he thought Phobia was involved.

Incidentally, two days after my story ran, several news outlets reported that Microsoft had confirmed it is investigating the hacking of Xbox Live accounts belonging to some “high-profile” Microsoft employees, and that it is actively working with law enforcement on the matter.

A little digging suggested that Phobia was a 20-year-old Ryan Stevenson from in Milford, Ct. In that Mar. 18 story, I interviewed Phobia, who confessed to being the hacker who broke into and deleted the Apple iCloud account of wired.com reporter Mat Honan. In subsequent postings on Twitter, Honan expressed surprise that no one else had drawn the connections between Phobia and Stevenson earlier, based on the amount of open source information linking the two identities. In his own reporting on the attack that wiped his iCloud data, Honan had agreed not to name Phobia in return for an explanation of how the hack was carried out.

Geographic distribution of servers observed in Mar. 14, 2013 attack on KrebsOnSecurity. Source: Prolexic

Geographic distribution of servers observed in Mar. 14, 2013 attack on KrebsOnSecurity. Source: Prolexic

The week after my story ran, I heard from someone who lives in Stevenson’s neighborhood and who watched federal agents and police descend on Stevenson’s home on Mar. 20. I was later able to corroborate that information with a police officer in Connecticut, who confirmed that authorities had seized several boxes of items from the Stevenson residence that day.

If Stevenson was as involved as his erstwhile gaming buddies claim, I can’t say that I’m sad to learn that he got his own police raid. However, I do not believe he was the one responsible for sending the emergency response team to my home. I believe that the person or persons responsible is/are still at large, and that Stevenson was merely thrown under the bus as a convenient diversion. But more on that at another time.

At the end of March, exposed.su was shut down, and the content there was migrated over to a new domain — exposed.re. The curator(s) of this site has been adding more celebrities and public figures, but there is another, far more curious, notation on some of the listings at the new version of the site: Several of those named have the designation [Swatted] next to them, including P. Diddy, Justin Timberlake and Ryan Seacrest (see the collage above). It’s worth noting that not all of those listed on exposed.re who were SWATted recently are designated as such on the site.

Continue reading →


18
Mar 13

The Obscurest Epoch is Today

“History is much decried; it is a tissue of errors, we are told, no doubt correctly; and rival historians expose each other’s blunders with gratification. Yet the worst historian has a clearer view of the period he studies than the best of us can hope to form of that in which we live. The obscurest epoch is to-day; and that for a thousand reasons of incohate tendency, conflicting report, and sheer mass and multiplicity of experience; but chiefly, perhaps, by reason of an insidious shifting of landmarks.” – Robert Louis Stevenson

To say that there is a law enforcement manhunt on for the individuals responsible for posting credit report information on public figures and celebrities at the rogue site exposed.su would be a major understatement. I like to think that when that investigation is completed, some of the information I’ve helped to uncover about those affiliated with the site will come to light. For now, however, I’m content to retrace some of my footwork this past weekend that went into tracking individuals who may have been responsible for attacking my site and SWATing my home last Thursday.

I state upfront that the information in this piece is certainly not the whole story (most news reporting is, at best, a snapshot in time, a first rough draft of history). While the clues I’ve uncovered thus far point to the role of a single individual, this person is likely part of a larger group involved in hacking and SWATing activity.

In my story last week, I posted a copy of the internal database for booter.tw, one of several fee-for-service “booter” sites. Booter sites are perhaps most popular among online gaming enthusiasts, who like to use them to knock opponents offline; but they are frequently also used to launch debilitating attacks on Web sites. That leaked booter.tw database shows that the denial-of-service attack that hit my site last week was paid for by a booter.tw user with the account name “countonme,” and using the address “countonme@gmail.com.”

Since the attack, I reached out to the proprietor of booter.tw, a hacker who uses the nickname “Askaa.” He informed me that the individual who launched the attack on my site was a hacker who used the screen name Phobia. “Phobia hacked into the countonme account to make it look like the according user attacked you,” Askaa said in a brief interview over Skype instant message. Askaa declined to say why he was so confident of this information.

RealTeamHype

RealTeamHype’s Youtube page before the videos were deleted on Sunday.

Separately, over the weekend I received an email from a person who claimed to have direct knowledge of the attacks (perhaps because he, too, was involved). This individual said those who attacked my site were a group of young online video game enthusiasts who were upset that earlier in the week I’d written about ssndob.ru, a site that sells access to peoples’ credit files, Social Security numbers and other sensitive information.

According to this source, the hackers in this case belong to a four-man Xbox live gamer team that calls itself “Team Hype,” which until this past weekend had posted a number of videos to their own youtube.com channel, RealTeamHype (more on what happened to these videos in a moment).

According to the anonymous source, Team Hype consists of hackers who use the nicknames “Trojan,” “Shadow,” Convict,” and “Phobia.” The source said the group used SSNs from ssndob.ru to hijack “gamertags,” online personas tied to Xbox Live game accounts. In this case, specifically from Microsoft employees who work on the Xbox Live gaming platform. Some of the group members then sell those accounts to other Xbox Live players.

“They hack/social engineer Gamertags off Microsoft employees by using SSNs,” the source wrote. “I didn’t DDoS your site and I didn’t SWAT you, Phobia has been telling everyone he did. The method he released he said he gets SSNs, then calls phone companies and redirects the number and than gets xbox phone support to call number and confirm. I heard he got pissed that you released the site he uses. Also Trojan told a buddie of mines ‘fear'(on AIM) something about a dead body in your closet about your swat.”

Snippet from @PhobiaTheGod's now-closed Twitter account

Snippet from @PhobiaTheGod’s now-closed Twitter account

The source said Phobia used the Twitter account @PhobiaTheGod (now closed, but partially available here and at this cache), and that Phobia’s personal information — including real name, address and phone number — had been “doxed” or released onto Pastebin-like sites some time ago. It didn’t take long to locate this profile at skidpaste.org (“skid” is a diminutive reference to the term “script kiddies,” referring to relatively unskilled young hackers who conduct most of their exploits using automated tools without understanding how those tools actually do the dirty work).

Having watched most of the videos at RealTeamHype’s youtube channel, it appeared that my source was telling the truth about the hijacked accounts: In fact, the videos at that channel documented such hijackings in progress using desktop screen-grabbing software. The videos even showed conversations with other team members in instant message windows in the background.

But I was reluctant to put much stock in the information until the source sent me a piece of information that only the attackers and my ISP would have known. On Friday, I received a call from Cox Communications, my Internet service provider. They wanted to know why I had paid $3,000 toward my account using several different credit card numbers. I assured them that I hadn’t made that payment. Then I heard from a member of Cox’s security team, who asked if I’d reset my password and if I’d indeed asked to cancel my Internet service. He was unsurprised to learn that I hadn’t. Apparently, hackers reset the password to my Cox email account by working out the answer to my secret question (this account is separate from my Cox user account, was set up over 10 years ago, and has never been used for anything remotely interesting or sensitive).

The source told me via email: “Hey brian, i just spoke to fear he told me phobia and his buddies were telling him that they hacked your cox email and paid your cox bill with hacked credit card, im not sure if this is true but im letting you know.”

I decided to give a call to the phone number included in the doxed records for Phobia, which rang at a home in Milford, Ct. A 20-year-old named Ryan Stevenson picked up the phone. After introducing myself, I asked Ryan if he knew anything about booter.tw, and he said he didn’t bother with booter sites because they were lame.

Continue reading →


15
Mar 13

The World Has No Room For Cowards

It’s not often that one has the opportunity to be the target of a cyber and kinetic attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home.

Well, as one gamer enthusiast who follows me on Twitter remarked, I guess I’ve now “unlocked that level.”

Things began to get interesting early Thursday afternoon, when a technician from Prolexic, a company which protects Web sites (including KrebsOnSecurity.com) from denial-of-service attacks, forwarded a strange letter they’d received earlier in the day that appeared to have been sent from the FBI. The letter, a copy of which is reprinted in its entirety here, falsely stated that my site was hosting illegal content, profiting from cybercriminal activity, and that it should be shut down. Prolexic considered it a hoax, but forwarded it anyway. I similarly had no doubt it was a fake, and a short phone call to the FBI confirmed that fact.

Around the same time, my site came under a series of denial-of-service attacks, briefly knocking it offline. While Prolexic technicians worked to filter the attack traffic, I got busy tidying up the house (since we were expecting company for dinner). I heard the phone ring up in the office while I was downstairs vacuuming the living room and made a mental note to check my voicemail later. Vacuuming the rug near the front door, I noticed that some clear plastic tape I’d used to secure an extension cord for some outdoor lights was still straddling the threshold of the front door.

Fairfax County Police outside my home on 3/14/13

Fairfax County Police outside my home on 3/14/13

When I opened the door to peel the rest of the tape off, I heard someone yell, “Don’t move! Put your hands in the air.” Glancing up from my squat, I saw a Fairfax County Police officer leaning over the trunk of a squad car, both arms extended and pointing a handgun at me. As I very slowly turned my head to the left, I observed about a half-dozen other squad cars, lights flashing, and more officers pointing firearms in my direction, including a shotgun and a semi-automatic rifle. I was instructed to face the house, back down my front steps and walk backwards into the adjoining parking area, after which point I was handcuffed and walked up to the top of the street.

I informed the responding officers that this was a hoax, and that I’d even warned them in advance of this possibility. In August 2012, I filed a report with Fairfax County Police after receiving non-specific threats. The threats came directly after I wrote about a service called absoboot.com, which is a service that can be hired to knock Web sites offline.

One of the reasons that I opted to file the report was because I knew some of the young hackers who frequented the forum on which this service was advertised had discussed SWATting someone as a way of exacting revenge or merely having fun at the target’s expense. To my surprise, the officer who took my report said he had never heard of the phenomenon, but promised to read up on it.

One of the officers asked if it was okay to enter my house, and I said sure. Then an officer who was dressed more like a supervisor approached me and asked if I was the guy who had filed a police report about this eventuality about six months earlier. When I responded in the affirmative, he spoke into his handheld radio, and the police began stowing their rifles and the cuffs were removed from my wrists. He explained that they’d tried to call me on the phone number that had called them (my mobile), but that there was no answer. He apologized for the inconvenience, and said they were only doing their jobs. I told him no hard feelings. He told me that the problem of SWATting started on the West Coast and has been slowly making its way east.

The cop that took the report from me after the incident said someone had called 911 using a Caller ID number that matched my mobile phone number; the caller claimed to be me, reporting that Russians had broken into the home and shot my wife. Obviously, this was not the case, and nobody was harmed during the SWATing.

Update, Apr. 29, 2013: As I noted halfway through this follow-up post, the police officer was misinformed: The 911 call was actually made via instant message chats using a relay service designed for hearing impaired and deaf callers, *not* via a spoofed mobile phone call.

Original story:

It’s difficult to believe the phony FBI letter that Prolexic received, the denial-of-service attack, and the SWATting were somehow the work of different individuals upset over something I’ve written. The letter to Prolexic made no fewer than five references to a story I published earlier this week about sssdob.ru, a site advertised in the cybercrime underground that sells access to Social Security numbers and credit reports. That story was prompted by news media attention to exposed.su, a site that has been posting what appear to be Social Security numbers, previous addresses and other information on highly public figures, including First Lady Michelle Obama and the director of the FBI.

Continue reading →