Hackers turn cybercrime into a commercial service
Online gamers are all too familiar with the frequent annoyance of DDoS (dedicated denial of service) attacks on the internet. These attacks involve hackers utilizing a vast network of compromised computers to overwhelm game servers, resulting in hours or even days of downtime for players. The issue has become increasingly widespread as hackers have started selling their botnets and spamming tools to anyone willing to pay for access to the same level of power.
There’s a big internet out there, and bad Actors abound. There are worse things than spammers and scammers swimming in the depths of the dark web. In his new book, Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks, Dr. Scott J Shapiro, professor of law and philosophy at Yale Law School, traces the illegal history of the Internet through five of the biggest hacks. digital infrastructure ever recorded.
FANCY BEAR STOPS PHINGING: The Dark History of the Information Age, in Five Extraordinary Hacks by Scott J. Shapiro. Published by Farrar, Straus and Giroux. Copyright © 2023 Scott J. Shapiro. All rights reserved.
Crime as a service
Not all Denial of Service attacks use botnets. In 2013, the Syrian Electronic Army (SEA) – the online propaganda arm of the brutal Bashar al-Assad regime – hacked Melbourne IT, the registrar that sold the nytimes.com domain to The New York Times. SEA changed DNS records so that nytimes.com pointed to SEA’s website instead. Because Melbourne IT contained authoritative records of the Times website, the unauthorized changes quickly spread around the world. When users typed in the standard New York Times domain, they were taken to the website of a murderous organization.
On the other hand, not all botnets launch denial-of-service attacks. After all, botnets are a collection of many hacked devices controlled remotely by an attacker, and these bots can be used for many purposes. Botnets were originally used for spam. The Viagra and Nigerian Prince emails that littered mailboxes were sent from thousands of geographically dispersed zombie computers. In these cases, the attacker reaches out to their bot army and tells them to send tens of thousands of emails a day. For example, in 2012, the Russian Grum botnet sent over 18 billion spam messages per day from 120,000 infected computers, netting its botmaster $2.7 million over three years. Botnets are excellent spam infrastructure because they are difficult to defend against. Networks usually use “block lists”: lists of addresses they don’t allow. However, to prevent the botnet, the addresses of thousands of geographically paid servers should be added to the list. It takes time and money.
Because the malware we’ve seen so far—worms, viruses, molds, and threads—couldn’t work together, they weren’t useful for financially motivated crime. Botnet malware, on the other hand, is because the botnets it creates are controllable. Botmasters are able to issue orders to each bot, allowing them to work together. In fact, botnet malware is the Swiss army knife of cybercrime, as botmasters can command bots they are tempted to plant malware on vulnerable machines, send phishing emails, or engage in click fraud, allowing botnets to profit from directing bots to click pay-per-click ads. . Click fraud is particularly lucrative, as Paras Jha later discovered. In 2018, the ZeroAccess botnet could earn $100,000 per day from click fraud. It controlled one million infected computers in 198 countries, including the island nation of Kiribati and the Himalayan Kingdom of Bhutan.
Botnets are great DDoS weapons because they can be trained on a target. On one day in February 2000, the hacker MafiaBoy took down Fifa.com, Amazon.com, Dell, E*TRADE, eBay, CNN, and Yahoo!, the largest search engine on the Internet at the time. He defeated these web servers by commandeering computers at 48 different universities and combining them into a primitive botnet. When everyone sent requests to the same IP address at the same time, the combined weight of the requests crashed the website.
After disabling so many major websites, MafiaBoy was considered a national security threat. President Clinton ordered a nationwide manhunt to find him. In April 2000, MafiaBoy was arrested and charged, and in January 2001, he pleaded guilty to 58 denial-of-service attacks. MafiaBoy’s real name was not released by law enforcement because this national security threat was only fifteen years old. MafiaBoy later revealed himself to be Michael Calce. “You know I’m a pretty calm, collected and cool person,” Calce shared. “But when you have the president of the United States and the attorney general basically calling you and saying, ‘We’re going to find you’ . . . at that point I was a little worried.” Calce now works in cyber security as a white hat — a good hacker, as opposed to a black hat — after spending five months in juvenile detention.
Both MafiaBoy and the VDoS crew were teenage boys crashing servers. But while MafiaBoy did it for the lulz, VDoS did it for the money. In fact, these teenage Israeli kids were pioneering tech entrepreneurs. They helped usher in a new form of cybercrime: DDoS as a service. DDoS as a service is a subscription-based model that gives subscribers access to a botnet to launch either a daily quota or an unlimited attack, depending on the price. DDoS service providers are known as trigger services or stressor services. They come with user-friendly websites that allow customers to choose an account type, pay for subscriptions, check service status, launch attacks, and get technical support.
VDoS advertised its startup service on Hack Forums, the same site where Paras Jha spent hours, according to Coelho. On its website www.vdos-s.com, VDoS offered the following subscription services: Bronze ($19.99 per month), Silver ($29.99 per month), Gold ($39.99 per month) and VIP ($199.99 per month). The higher the price, the more attack time and volume. At its peak in 2015, VDoS had 1,781 subscribers. The gang had a customer service department and accepted PayPal for a while. From 2014 to 2016, VDoS earned $597,862 and launched 915,287 DDoS attacks in one year.
VDoS democratizes DDoS. Even the most inexperienced user can sign up for one of these accounts, enter a domain name, and attack its website. “The problem is that this kind of firepower is available to literally anyone willing to pay thirty dollars a month,” explained Allison Nixon, director of security research at Flashpoint. “Basically, this means you have to have DDoS protection in order to participate on the Internet. Otherwise, any angry young teenager can take you offline in no time.” Even startup services need DDoS protection. VDoS hired Cloudflare, one of the world’s largest DDoS measurement companies.
DDoS as a service followed a trend in cybercrime known as “malware as a service”. Where users once bought information about software vulnerabilities and tried to figure out how to exploit those vulnerabilities themselves, or bought malware and tried to figure out how to install and run it, now they can only pay to use the malware and hack. at the push of a button, no technical skills required.
Because customers using DDoS are inexperienced, they are particularly vulnerable to scams. Scammers often advertise startup services on public forums and accept subscriptions and payments, but do not launch the promised attacks. Even VDoS, which provided DDoS service, did so less aggressively than advertised. The VDoS botnet tested by Flashpoint never reached the promised 50 gigabits per second, instead reaching six to fourteen gigabits per second.
Boards promoting startup services, as Hack Forums once did, are available to anyone with a standard browser and an Internet connection. They exist on the Clear Web, not the so-called Dark Web. To access sites on the Dark Web, you need to use a special network called Tor, which usually uses a special browser known as the Tor browser. When a user tries to access a website on the Dark Web, the Tor browser does not request the web pages directly. It chooses three random locations, called nodes, through which to route the request. The first node knows the original sender but not the final destination. The second node knows neither the original source nor the final destination – it only knows the first and third nodes. The third node knows the final destination but not the original sender. In this way, the sender and receiver can communicate with each other without knowing the identity of the other.
The Dark Web is doubly anonymous. No one but the owner of the website knows its IP address. No one other than the visitor knows that he is using the website. That’s why the Dark Web is usually used by political dissidents and cybercriminals – anyone who needs complete anonymity. The Dark Web is legal to browse, but many of its websites offer services that are illegal to use. (Fun fact: The US Navy created the Dark Web in the mid-1990s to allow its intelligence agents to communicate confidentially.)
It may come as a surprise that DDoS providers can advertise on Clear Web. After all, DDoSing another website is illegal everywhere. In the United States, it is a violation of the Computer Fraud and Abuse Act to “knowingly cause the transmission of a program, data, code, or command and, as a result of such action, intentionally causes damage without authorization,” where the damage includes “any impairment of . . . the availability of data, program, system, or information.” To get around this, startup services have long claimed to perform a legitimate “stressor” function, providing website creators with a means to stress test websites. Indeed, startup services routinely include terms of service that prohibit attacks on unauthorized sites and disclaim any responsibility for such attacks.
In theory, stressors have an important function. But only in theory. Private conversations between VDoS and its customers indicated that they are not stressing their own websites. As the startup’s service provider admitted to Cambridge University researchers: “We’re trying to market these services to a more legitimate user base, but we know where the money is coming from.”