Police Seize Webstresser.org, Bust 6 Suspected AdminsDDoS Stresser/Booter Service's Servers Seized; Top Users Also Arrested
Police in Europe have announced the seizure of a site widely believed to be the world's largest provider of on-demand distributed denial-of-service attacks.
See Also: DevOps - Security's Big Opportunity
Called Webstresser.org, the site boasted 136 million registered users and had launched more than 4 million attacks against websites - ranging from banks and government agencies to police forces and gaming sites - as of this month, says Europol, the EU's law enforcement intelligence agency.
Six of the site's suspected top administrators were also arrested in the United Kingdom, Croatia, Canada and Serbia on Tuesday, according to the U.K.'s National Crime Agency, which says it was assisted by police in those countries as well as Police Scotland.
On Wednesday at 11:30 a.m. British Time, the NCA says, authorities in the Netherlands, Germany and the United States seized Webstresser's servers, effecting a full takedown of the website.
Europol says that some of the site's top users - in Australia, Canada, Croatia, Hong Kong, Italy, the Netherlands, Spain and the U.K. - have also been arrested.
The investigation into Webstresser was led by Dutch National Police and the U.K.'s NCA, assisted by a dozen law enforcement agencies from around the world and coordinated by Europol's European Cybercrime Center, known as EC3, and Joint Cybercrime Action Taskforce, or J-CAT.
"It's a big deal - arrests in many countries and servers physically seized," cybercrime expert Alan Woodward, a computer science professor at England's University of Surrey, tells Information Security Media Group.
Webstresser offered on-demand DDoS disruption for as little as $14.99 per month, authorities say, allowing anyone - no technical knowledge required - to disrupt sites, sometimes in support of extortion rackets (see Cybercrime-as-a-Service Economy: Stronger Than Ever).
Woodward says the arrests highlight "the essential nature of international cooperation" in catching cybercriminals who operate across borders. But he says such efforts, including international coordination, remain difficult and complex for authorities to pursue.
At the same time, the cost of such services continues to decrease, making them more easy to access for users worldwide.
"We have a trend where the sophistication of certain professional hackers to provide resources is allowing individuals - and not just experienced ones - to conduct DDoS attacks and other kind of malicious activities online", says Steven Wilson, Head of Europol's European Cybercrime Centre.
"It's a growing problem, and one we take very seriously. Criminals are very good at collaborating, victimizing millions of users in a moment form anywhere in the world," Wilson says. "We need to collaborate as good as them with our international partners to turn the table on these criminals and shut down their malicious cyberattacks."
On-demand DDoS services often get marketed as "stresser/booter services," suggesting they might have a legitimate use for testing websites' ability to repel DDoS attacks.
Security experts say many such services are powered by bot-infected PCs, which receive remote instructions from bot herders - the criminals who built the botnet - to attack designated sites on command.
The cost of such services continues to decrease, but remains tiered to the type of target users want to disrupt, Liv Rowley, an intelligence analyst at threat-intelligence firm Flashpoint in New York, told ISMG earlier this year (see DDoS Attacker Targeted Banks, Police, Former Employer).
"An attack on a regular website is typically just $10 per hour, whereas an attack on a website that employs basic protections against DDoS attacks is typically $25 per hour," she said. "The most expensive DDoS-for-hire services are for attacks geared toward government, military, or bank websites, ranging from $100 to $150 per hour."
Security firm Imperva reports that in the last three months of 2017, the most targeted organizations were in the internet services, gambling, IT and software, gaming and cryptocurrency sectors.
In the same time frame, Imperva says organizations in Hong Kong, the United States, Taiwan, the Philippines and Malaysia were most targeted by DDoS attacks.
Stresser/Booter Sites: Illegal
Police say stresser/booter services are illegal and make for dangerous cybercrime tools.
"By taking down world's largest illegal DDoS seller in a worldwide joint law enforcement operation based on NCA intelligence, we have made an unprecedented impact on DDoS cybercrime," says Gert Ras, head of the National High Tech Crime Unit at the Dutch National Police. "Not only were the administrators of this illegal service arrested, but also users will now face prosecution and civil liability for caused damage.
"Stresser websites make powerful weapons in the hands of cybercriminals" says Jaap van Oss, Dutch chairman of J-CAT.
The NCA says it suspects that just one Webstresser site user, based in Bradford, England, is behind November 2017 DDoS attacks against seven of the U.K.'s largest banks. "They were forced to reduce operations or shut down entire systems, incurring costs in the hundreds of thousands to get services back up and running," the NCA says.
Police to Users: Forget Anonymity
Police say the effort is meant, in part, to highlight that users of such sites cannot count on anonymity. "This is a warning to all wannabee DDOS-ers - do not DDOS because through close law enforcement collaboration, we will identify you, bring you to court and facilitate that you will be held liable by the victims for the huge damage you cause," Ras says.
Jo Goodall, senior investigating officer at the NCA, says authorities will be reviewing seized customer records. "The arrests made over the past two days show that the internet does not provide bullet-proof anonymity to offenders and we expect to identify further suspects linked to the site in the coming weeks and months as we examine the evidence we have gathered," she says.
Previous investigations have also unearthed alleged stresser/booter site administrators and users.
In January, in Minnesota federal court, John Kelsey Gammell, 55, pleaded guilty to charges that included engaging in and directing DDoS attacks against websites run by his former employer as well as business competitors.
Gammell's plea was the result of an investigation by the FBI that relied, in part, on a database of records for the Israel-based stresser/booter service vDos. Customer records for the service were leaked to cybersecurity blogger Brian Krebs, who shared them with the bureau.
"The database records provided information on the complete administration of vDos, which includes user registrations, user logins, payment and subscription information, contact with users and attacks conducted; the database records include information related to Gammell, who was a customer of vDos," according to the FBI's complaint against Gammell. "The vDos attack logs cover the time period from approximately April 2016 to July 2016."
These types of investigations and resulting arrests once again "prove crime doesn't pay and that law enforcement will track you down eventually," says Woodward at the University of Surrey.