Submit a link Features Reviews Podcasts Video Forums More ▾

Denial-of-Service attacker tells Brian Krebs he's working for the FBI

Last week, I blogged Brian Krebs's amazing piece on AsylumBooter, a cheesy denial-of-service-for-hire site apparently run by a 17-year-old Chicago-area honor-roll student named Chandler Downs, whose PayPal account was flush with more than $30,000 paid by people who'd launched more than 10,000 online attacks.

Now, Krebs has uncovered an even weirder booter story: Ragebooter is another DoS company, but this one is run by a guy who claims to be working part time for the FBI, and who says that the FBI has its own login to his site, and review all the IP addresses and other traffic data it logs.

Ragebooter.net’s registration records are hidden behind WHOIS privacy protection services. But according to a historic WHOIS lookup at domaintools.com, that veil of secrecy briefly fell away when the site was moved behind Cloudflare.com, a content distribution network that also protects sites against DDoS attacks like the ones Ragebooter and its ilk help to create (as I noted in Monday’s story, some of the biggest targets of booter services are in fact other booter services). For a brief period in Oct. 2012, the WHOIS records showed that ragebooter.net was registered by a Justin Poland in Memphis...

... “I also work for the FBI on Tuesdays at 1pm in memphis, tn,” Poland wrote. “They allow me to continue this business and have full access. The FBI also use the site so that they can moniter [sic] the activitys [sic] of online users.. They even added a nice IP logger that logs the users IP when they login.”

When I asked Poland to provide more information that I might use to verify his claims that he was working for the FBI, the conversation turned combative, and he informed me that I wasn’t allowed to use any of the information he’d already shared with me. I replied that I hadn’t and wouldn’t agree that any of our discussion was to be off the record, and he in turn promised to sue me if I ran this story. That was more or less the end of that conversation.

Poland gave Krebs the working personal number of an FBI agent identified as "Agent Lies," who put him onto the FBI's press contact, who stonewalled. Meanwhile, Ragebooter leaks a lot of info and there's some reason to believe that the FBI really does have its own back door.

Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor?

Inside the world of "booters" -- cheesy DoS-for-hire sites

Brian Krebs delves into the world of "booter" services, low-level, amateurish denial-of-service websites where you can use PayPal to have your video-game enemies' computers knocked off the Internet by floods of traffic. Many booter services run off the same buggy codebase, and Krebs was apparently able to get inside the administrative interfaces for them and get some insight into their business.

One such is "Asylum," which appears to be run by Chandler Downs, a 17-year-old Chicago-area honor-roll student who reportedly made $35,000 in PayPal payments in exchange for denial-of-service attacks. Asylum even has an ad (narrated by an actor hired through the casual labor exchange site Fiverr) where, for $18/month, you can launch unlimited DoSes against "skids on Xbox live."

Young Mr Downs claimed that his service was not used to attack people, but only for legitimate stress-testing, then he changed his story and said he was only managing the service for someone else, and "You are able to block any of the 'attacks' as you say with rather basic networking knowledge. If you're unable to do such a thing you probably shouldn't be running a website in the first place."

Nixon noted that all of the packets incoming from the traffic she ordered to her test machines appeared to have been sent from spoofed IP addresses. However, when she used the “Down or Not?” host checker function on Asylum, the site responded from what appears to be the real Internet address of one of the servers that are used to launch the attacks: 93.114.42.28. She noted that a booter service that appears to be a clone of Asylum – vastresser.ru – is hosted on the same server.

Asylum, like most other booter services, is hidden behind Cloudflare, a content distribution network that helps sites block attacks that services like Asylum are designed to launch. Apparently, getting attacked is something of an occupational hazard for those running a booter services. Behind the Cloudflare proxy, Nixon found that the secret IP for the Asylum stresser Web frontend was 93.114.42.205.

Both IP addresses map back to Voxility, a hosting facility in Romania that has a solid reputation in the cybercrime underground for providing so-called “bulletproof hosting” services, or those that generally turn a deaf ear to abuse complaints and requests from law enforcement officials. In January 2013, I profiled one data center at this ISP called Powerhost.ro that was being used as the home base of operations for the organized cybercrime gang that is currently facing charges of developing and distributing the Gozi Banking Trojan.

According to Krebs, "Between the week of Mar. 17, 2013 and Mar. 23, 2013, asylumstresser.com was used to launch more than 10,000 online attacks."

DDoS Services Advertise Openly, Take PayPal

Denial of service attacks used to cover up fraudulent bank transfers

Brian Krebs documents a sophisticated offline/online attack on banks. Thieves combine a fraudulent wire-transfer to an innocent jewelry store with a denial-of-service attack on the bank that ties up the IT and other staff. The jeweler has been told that the money is to buy expensive jewels and watches, which are given to a stooge recruited as a courier and reshipper.

The bureau says the attacks coincide with corporate account takeovers perpetrated by thieves who are using a modified version of the ZeuS Trojan called “Gameover.” The rash of thefts come after a series of heavy spam campaigns aimed at deploying the malware, which arrives disguised as an email from the National Automated Clearing House Association (NACHA), a not-for-profit group that develops operating rules for organizations that handle electronic payments. The ZeuS variant steals passwords and gives attackers direct access to the victim’s PC and network.

In several recent attacks, as soon as thieves wired money out of a victim organization’s account, the victim’s public-facing Internet address was targeted by a network attack, leaving employees at the organization unable to browse the Web.

A few of the attacks have included an odd twist that appears to indicate the perpetrators are using money mules in the United States for at least a portion of the heists. According to an FBI advisory, some of the unauthorized wire transfers from victim organizations have been transmitted directly to high-end jewelry stores, “wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired).”

DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists

Black Flag bassist Kira Roessler's custom bass guitar stolen

163031_10150369920610137_789110136_16747558_1651436_a.jpgThe Studio City, CA home of legendary bassist Kira Roessler (Black Flag, Dos) was broken into yesterday. Among the belongings reported stolen: her custom bass guitar. While losing any of one's possessions to theft is a huge bummer, this is *really* sad. According to The Groove Music Life:
The bass is a three-quarter-scale instrument custom-made by California-based luthier Mark Garza with a Rickenbacker-style body and Telecaster-style headstock with the name "Garz" on it; according to Kira there is also a small nick in the headstock. It is the only model of its kind in existence; it has been Roessler's main instrument for the past several years.

Hopefully, the uniqueness of this instrument will aid in identifying it if it turns up somewhere, and the odds of its return to Roessler are greater. If any Boing Boing readers happen to see it or have any leads, they're welcome in the comments.

2600 Magazine condemns DDoS attacks against Wikileaks censors

2600: The Hacker Quarterly, has published a public statement opposing the Anonymous denial-of-service attacks on the services that abetted the censorship of Wikileaks. 2600's position is that the inexcusable moral cowardice of Visa and Mastercard and PayPal, etc, do not justify the use of brute force. Additionally, 2600 says that DDoS attacks are tactically unsound, as they create sympathy for these companies, and are used as a pretense for more attacks on Internet freedom. Finally, 2600 wants to strong disassociate "hackers" from people who merely run a piece of push-button DoS software, and to ensure that the security specialists, experimenters, hobbyists and others who make up its community are not unfairly associated with the DDoS attacks.
The assault on Wikileaks must not be overshadowed by the recent denial of service attacks and these certainly must not be allowed to be associated with the hacker community. This will play right into the hands of those who wish to paint us all as threats and clamp down on freedom of speech and impose all kinds of new restrictions on the Internet, not to mention the fact that the exact same types of attacks can be used on "us" as well as "them." (Interestingly, it was only a week ago that "hackers" were blamed for denial of service attacks on Wikileaks itself. That tactic was ineffectual then as well.) Most importantly, these attacks are turning attention away from what is going on with Wikileaks. This fight is not about a bunch of people attacking websites, yet that is what is in the headlines now. It certainly does not help Wikileaks to be associated with such immature and boorish activities any more than it helps the hacker community. From what we have been hearing over the past 24 hours, this is a viewpoint shared by a great many of us. By uniting our voices, speaking out against this sort of action, and correcting every media account we see and hear that associates hackers with these attacks, we stand a good chance of educating the public, rather than enflaming their fears and assumptions.

There are a number of positive steps people - both inside and outside of the hacker community - can take to support Wikileaks and help spread information. Boycotts of companies that are trying to shut Wikileaks down can be very effective and will not win them any sympathy, as the current attacks on their websites are unfortunately doing. Mirroring Wikileaks is another excellent method of keeping the flow of information free. Communicating with friends, family, classes, workplaces, etc. is not only a way of getting the word out, but will also help to sharpen your skills in standing up for what you believe in. This is never accomplished when all one tries to do is silence one's opponent. That has not been, and never should be, the hacker way of dealing with a problem.

2600 Magazine has been publishing news, tutorials, and commentary by, about, and for the hacker community since 1984. We were sued in 2000 by the Motion Picture Association of America for linking to a website containing source code enabling Linux machines to play DVDs and thus became the first test case of the Digital Millennium Copyright Act. In a similar vein, we are supporting Wikileaks by linking to their existing website through wikileaks.2600.com. We've already changed where this address points to twice as Wikileaks sites have been taken down, and will continue to ensure that this link always manages to get to wherever Wikileaks happens to be. We hope people follow that link and support the existence of Wikileaks through whatever method is being publicized on their site.

I recognize that "Anonymous" isn't an organization or even a group -- it's a "meme," which is to say, some people put out a call to action, and others take them up on it (or don't), and that is how "Anonymous" makes its decision. But many of us understand "Anonymous" to mean "that subset of /b/ readers and others who are, at this moment, participating in one action or another." It's tedious to have to write out this full epithet, and what's more, it's not as if Anonymous is the first phenomenon to be loosely structured -- after all, the "peace movement" or "environmental movement" had lots of different members who dissented on strategy, tactics, goals and commitments, and undertook many actions with support of different levels and intensity (including provocateurs, fellow travellers, and bystanders who got swept up along the way). But there was and is a "peace movement" and an "environmental movement" and it's not inaccurate to say, "Environmentalists oppose such-and-such," because anyone who has paid any attention knows that this means, "some environmentalists oppose such-and-such, others don't, some have no opinion, and there are no formal membership requirements for the 'environmental movement'."

I can't see any point in the pedantic nitpicking about whether anyone can meaningfully discuss "Anonymous." There are people who sometimes call themselves Anonymous. They come together to do stuff, sometimes. Insisting on this formulation "Some anonymous people who have answered an anonymous call to action and are presently operating under the Anonymous banner," every time someone mentions Anonymous is just dumb.

HACKER MAGAZINE CONDEMNS DENIAL OF SERVICE ATTACKS (Thanks, Emmanuel!)