Cybercrime as-a-service , DDoS Protection , Fraud Management & Cybercrime

Stress Test: Police Visit Webstresser Stresser/Booter Users

Seized Customer Data Appears to Be Powering Ongoing Dutch and UK Probes
Stress Test: Police Visit Webstresser Stresser/Booter Users

An international operation to target users of Webstresser, a notorious stresser/booter service launched in 2015 that allowed customers to launch distributed denial-of-service attacks on demand, is underway and has resulted in arrests, according to Europol, the EU's law enforcement intelligence agency. The police message: Using darknet cybercrime services doesn't guarantee anonymity, even if you pay with bitcoin.

See Also: Compromised Credentials Monitoring Brief

Using stresser/booter services is illegal. Nevertheless, Europol said Webstresser.org boasted 136,000 registered users and had been used to launch more than 4 million attacks against websites - ranging from banks and government agencies to police forces and gaming sites.

Webstresser offered subscriptions that started at just $14.99 per month, security experts say.

But the site's dominance as the world's biggest stresser/booter service came to an end in April 2018, when six of the site's suspected top administrators were arrested in the United Kingdom, Croatia, Canada and Serbia. Authorities in the Netherlands, Germany and the United States also seized Webstresser's servers, resulting in a full takedown of the service.

Webstresser's subscription offerings

In Australia, Canada, Croatia, Hong Kong, Italy, the Netherlands, Spain and the U.K., police also have arrested or questioned some of the site's top suspected users (see: Police Seize Webstresser.org, Bust 6 Suspected Admins).

This effort, dubbed Operation Power Out, is continuing, spearheaded by the Dutch Politie and the U.K. National Crime Agency, and coordinated by a Europol joint action task force.

"Since November 2018, a number of Webstresser.org users in the U.K. have found themselves the subject of law enforcement activity," the NCA says. "Officers from the NCA's National Cyber Crime Unit, with support from Regional Organized Crime Units and Police Scotland, have executed eight warrants and seized more than 60 personal computers, tablets and mobile phones. A number of users also received 'cease and desist' notices. A further 400 users of the service are now being targeted by the NCA and partners."

Jim Stokley, deputy director of the NCA's National Cyber Crime Unit, notes: "The action taken shows that although users think that they can hide behind usernames and cryptocurrency, these do not provide anonymity. We have already identified further suspects linked to the site, and we will continue to take action.

"Our message is clear: This activity should serve as a warning to those considering launching DDoS attacks. The NCA and our law enforcement partners will identify you, find you and hold you liable for the damage you cause."

Secret De-Anonymizing Sauce

The NCA didn't immediately respond to a request for comment about how exactly it's been identifying suspected Webstresser users.

It's likely, however, that police have continued to study the systems, equipment and records they seized when they arrested suspected Webstresser administrators. Even if users paid with pseudonymous cryptocurrency such as bitcoin, they may have registered with email addresses that they used on another site, such as a message board, that leads back to their real name or IP address.

Law enforcement and intelligence agencies also have techniques for correlating bitcoin transactions with other activities, including changing virtual currency into hard currency, which can help them identify cryptocurrency users' real identity. But the extent of these capabilities remains a closely held secret (see: Tougher to Use Bitcoin for Crime?).

In addition, police have continued to seize records for other darknet services. In 2017, for example, police shuttered the world's two largest darknet marketplaces, AlphaBay and Hansa. Seized information would have likely included lists of the bitcoin wallets used by customers to make payments as well as postal addresses to which goods should be shipped. No doubt, investigators have a "big data" effort underway to build lists of darknet users' real identities.

So take heed, anyone with a penchant for a "DDoS first, think later" approach: When it comes to identifying suspects, law enforcement agencies have time on their side.

"If you were daft enough to use Webstresser.org to pay for a DDoS attack then you can expect a visit from the police," tweets cybercrime expert Alan Woodward, a computer science professor at the University of Surrey.

FBI Shutters Quantum Stresser

In the U.S., the FBI is also working to disrupt stresser/booter services.

In December 2018, the FBI seized 15 DDoS-for-hire websites, including Downthem and Quantum Stresser.

The U.S. Justice Department said the timing of the seizures was not accidental. "The action against the DDoS services comes the week before the Christmas holiday, a period historically plagued by prolific DDoS attacks in the gaming world," it said (see: Feds Disrupt Top Stresser/Booter Services).

Romanian police have also been investigating two more small-scale DDoS services and have seized evidence, including customer lists, Europol says.

Enough Kick to Disrupt Liberia

Using stresser/booter services might sound innocuous, but it can have a profound impact. A single Mirai botnet, for example, used DDoS attacks to successfully disrupt internet access for the small West African country of Liberia.

Mirai was originally built to disrupt gaming sites. But after its developers published the source code, it was adapted by others.

The Liberia disruptions were the work of Daniel Kaye, a 30-year-old Englishman. In December 2018, he pleaded guilty to working as a hacker-for-hire and disrupting access to Liberia's leading mobile phone and internet company. Kaye said he first used stresser/booter services to disrupt the ISP, before building his own Mirai botnet to launch the DDoS attacks.

"At their peak in November 2016, these DDoS attacks crashed the West African country's entire internet access with one attack resulting in millions of pounds worth of damage," Europol says.

In January, Kaye was sentenced by a U.K. judge to serve nearly three years in prison (see: UK Sentences Man for Mirai DDoS Attacks Against Liberia).

Source: Europol

Rehab for Young Hackers

Authorities continue to test new intervention techniques for trying to divert young stresser/booter users - and other potential cybercrime aficionados - into more positive and legal pursuits. That's essential, given the dozens of stresser/booter services that remain available as well as the seemingly never-ending supply of individuals, especially young adults, who keep patronizing them.

In 2017, the NCA began testing weekend rehab camps for young cybercriminals, the BBC reported.

One attendee subsequently told the BBC: "Now that I know cybersecurity exists, it sounds like it would be something I really, really want to go into. You get the same rush, the same excitement, but you are using it for fun still, but it is legal and you get paid. So, it's every kind of benefit."

In the Netherlands, meanwhile, police and prosecutors are jointly running an experimental program called Hack_Right. It aims to keep first-time offenders ages 12 to 23 from graduating to more serious crimes by implementing a four-phase program - recovery, training, alternative and coaching - that includes having the offenders complete internships in IT departments.

"A Dutch user of webstresser.org has already received this alternative sanction," Europol says.

Top Industries Targeted by DDoS

Top DDoS targets based on quantity of attacks against organizations in designated North American industry classifications. (Source: Netscout)

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.