Records From Hacked Stresser/Booter Service vDos Helped Unmask Suspect
In separate cases, two hackers have either pleaded guilty or been sentenced to serve jail time in part for launching or facilitating distributed denial-of-service attacks.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
In Minnesota federal court, John Kelsey Gammell, 55, last week pleaded guilty to charges that included engaging in and directing DDoS attacks against websites run by his former employer as well as business competitors.
Meanwhile in the United Kingdom, a British man last week received a two-year sentence for attempting to disrupt websites run by Google and Skype, which is owned by Microsoft.
Gammell Admits DDoS Attacks
On Wednesday, Gammell pleaded guilty before District Judge Wilhelmina M. Wright to one count of conspiracy to cause intentional damage to a protected computer and two counts of being a felon in possession of a firearm.
From July 2015 to March 2017, “Gammell directed DDoS attacks at a number of victims’ websites, including websites operated by companies he used to work for, companies that declined to hire him, competitors of Gammell’s business, and websites for law enforcement agencies and courts, among others,” according to a second superseding indictment filed against the defendant on Jan. 8.
On-Demand DDoS Subscriptions
Gammell launched DDoS attacks both from his own computers as well as by hiring at least seven DDoS-for-hire services to launch on-demand disruptions, including Booter.xyz, CStress, Inboot, IPStresser and VDoS (see DDoS for Hire: Israel Arrests Two Suspects).
“Of the seven DDoS-for-hire websites, search warrant results and vDos records indicate Gammell made mayments to cStress, inboot.me and vDos,” FBI Special Agent Brian Behm writes in a complaint against Gammell filed in court on April 14, 2017. “In email communications with several individuals … Gammell identified cStress, vDos and booter.xyz as his favorite DDoS services to use.”
Gammell had also pursued plans to offer his own DDoS-on-demand service, according to court documents.
Ultimately, Gammell’s own DDoS attacks targeted “dozens of victims,” including targets in Minnesota, such as his former employer, Washburn Computer Group in Monticello, which suffered more than a year of disruptions, according to his plea agreement. Other targets included Minnesota’s Dakota County Technical College as well as the Minnesota State Courts website and sites run by businesses, including Convergys, Enterprise Rent-A-Car, Hong Kong Exchanges and Clearing, JP Morgan Chase, Verizon Communications and Wells Fargo.
“Gammell took a variety of steps to avoid detection and circumvent his victims’ DDoS attack mitigation efforts, such as using IP address anonymization services to mask his identity and location, using cryptocurrency in payment for DDoS-for-hire services, using multiple DDoS-for-hire services at once to amplify his attacks, using spoofed emails to conceal his conduct, and using encryption and drive-cleaning tools to conceal digital evidence of his conduct on his computers,” according to his plea agreement.
Stresser/Booter Services: On-Demand DDoS
On-demand DDoS services are often sold on the cybercrime underground as stresser/booter services, suggesting that they have a legitimate use for testing websites’ ability to repel DDoS attacks. In reality, however, law enforcement experts say these sites are designed solely for disruption.
Like many other cybercrime-as-a-service offerings, DDoS disruptions often get launched by malware-infected endpoints that have been pressed into service as part of a botnet that can remotely issue instructions to these PCs.
The cost of subscribing to stresser/booter services continues to decrease. “An attack on a regular website is typically just $10 per hour, whereas an attack on a website that employs basic protections against DDoS attacks is typically $25 per hour,” Liv Rowley, an intelligence analyst at threat-intelligence firm Flashpoint in New York, tells Information Security Media Group. “The most expensive DDoS-for-hire services are for attacks geared toward government, military, or bank websites, ranging from $100 to $150 per hour.”
Top DDoS-Attacked Industries
A study published last year by cybersecurity firm Imperva found that gambling, gaming, internet services and financial websites were most targeted by DDoS attackers.
Taunting Mouse Animation
Despite apparent attempts by Gammell to hide his tracks, however, the FBI said it only took a handful of subpoenas to unmask his identity.
According to the complaint against Gammell, Washburn – where Gammell used to work – received taunting emails from a Yahoo and a Gmail address. Gammell had left Washburn on good terms, according to court documents, but later had a falling out over a financial dispute about training Gammell was to provide to Washburn personnel.
“The emails appear to taunt Washburn management regarding ongoing IT issues the company was experiencing – at that time, Washburn’s only ‘ongoing IT issues’ were based on the DDoS attacks,” Behm writes.
Both of the taunting messages “asked how everything was at Washburn” and included an attached image or GIF animation of a laughing mouse.
“For those of you looking to start a career in cybersecurity, take a lesson from this story: Threatening a potential employer with a cyberattack is not the best way to make a positive impression,” says cybersecurity expert Brian Honan, who leads Dublin-based BH Consulting, in a recent SANS newsletter.
Subpoenas Reveal Identity
The FBI appears to have quickly unmasked the sender of the taunting emails. Grand jury subpoenas for subscriber information filed with Google and Yahoo found that both had been registered using a phone number with a 612 area code – for Minnesota.
A further subpoena to AT&T Wireless confirmed that the subscriber was Gammell, and a subpoena to ISP CenturyLink found that an IP address used to register the Gmail address had at the time been assigned to Gammell’s residence in New Mexico.
The FBI said its investigation was aided by a database of vDos records provided to the FBI by an “internet security researcher” – known to be cybersecurity blogger Brian Krebs, although he is not named in court documents.
“The database records provided information on the complete administration of vDos, which includes user registrations, user logins, payment and subscription information, contact with users and attacks conducted; the database records include information related to Gammell, who was a customer of vDos,” the FBI’s Behm writes in the complaint. “The vDos attack logs cover the time period from approximately April 2016 to July 2016.”
Guilty Plea: Firearms Possession
Gammell is a convicted felon who had been prohibited from possessing firearms or ammunition based on prior felony convictions, including a 1992 federal conviction for being a felon in possession of a firearm. He was released from prison on the felon in possession conviction in 2006 and finished probation in 2010.
In his plea agreement, however, Gammell admitted that he “possessed parts for use in the building of AR-15 assault rifles, upper and lower receivers, a pistol grip, a trigger guard, 15 high-capacity magazines, a buttstock, a buffer tube, and 420 rounds of 5.56 x 45mm full metal jacket rifle ammunition in Colorado, where he worked,” according to court documents. “He further admitted that he possessed a Heckler & Koch P2000 handgun, and a Springfield Armory model 1911-A1, .45 caliber handgun, as well as hundreds of rounds of ammunition in New Mexico, where he resided.”
In some of his communications, Gammell claimed to be a member of Anonymous, according to court documents.
Gammell had also been charged with two counts of aggravated identity theft, to which he did not plead guilty. Those charges were dropped. He is due to be sentenced at a later date.
Skype Attacker Also Sentenced
In a separate case, Alex Bessell, 21, of Liverpool, England, was sentenced at Birmingham Crown Court to serve two years in prison.
Bessell had been charged with earning more than £530,000 ($740,000) since 2011 by selling remote administration tools, malware, “crypters” that are designed to repack malware to better evade anti-virus software scanners, as well as infecting more than 9,000 PCs with malware that was used in part to launch DDoS attacks against the likes of Skype, Pokemon and Google, according to police (see Police: DDoS Provider Targeted Google, Pokemon, Skype).
The services were advertised in part via a site he created called Aiobuy. Police said Bessell’s site “advertised 9,077 items and it had 1 million recorded visitors with over 34,000 sales.”
Bessell’s arrest last year followed “a lengthy and complex police operation, which spanned several countries and involved the collection and analysis of detailed data to identify him,” Hannah Sidaway, says a senior crown prosecutor for the West Midlands in England.
On Thursday, Bessell admitted to multiple offenses in violation of the Computer Misuse Act and was also convicted of other offenses, including money laundering tied to the hacks as well as registering a company using a false address to attempt to give his operations legitimacy.
“Bessell was responsible for the creation, use and distribution of computer malware from 2010 onwards – during which time law enforcement have seen this type of criminality grow at a phenomenal rate,” Sidaway says. “His actions enabled others across the world to commit thousands of criminal attacks. Such activity can result in the compromising of personal data, extortion, loss of valuable data or work, loss of custom for businesses and a high cost to rectify the damage sustained.”