Bureau Issues Stresser/Booter and Internet of Things Warnings
Have you been the victim of a distributed denial-of-service attack? If so, the FBI wants you to please come forward.
See Also: How to Scale Your Vendor Risk Management Program
The FBI is asking anyone in the United States who’s been the victim of a DDoS attack to file a report with the local FBI field office or via the website of the Internet Crime Complaint Center, or IC3. That’s a joint partnership between the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance, which was set up to receive and investigate internet-related crime complaints from U.S. victims.
This week’s DDoS alert from the FBI focuses on the threat posed by stresser/booter services. Such services are often marketed as a way to “stress test” your own website. But law enforcement agencies say the “DDoS on demand” services are widely used by attackers to disrupt websites and extort organizations into paying attackers to restore access (see Teen Hacker Sentenced Over ‘Titanium Stresser’ Attacks).
The FBI says such services “are leveraged by malicious cyber actors, pranksters, and/or hacktivists to conduct large-scale cyberattacks designed to prevent access to U.S. company and government websites.”
Attacked businesses can lose more than just website accessibility. Last October, at least 80 businesses fell victim to a DDoS attack campaign, including domain name service provider Dyn. The company estimates that the resulting disruption caused it to lose about 8 percent of its customers.
That attack was fueled by Mirai malware, which infects internet of things devices, including routers, digital video recorders and internet-connected security cameras. And the FBI, in its alert, also urges individuals and organizations to take steps to ensure that their IoT devices cannot be compromised.
Information Sought by the FBI
When reporting DDoS attacks, the FBI requests that victims:
- Identify the traffic protocol or protocols used in the DDoS attack – such as DNS, NTP, SYN flood;
- Attempt to preserve netflow and attack-related packet capture;
- Describe any extortion attempts or other threats related to the DDoS attack;
- Share all correspondence with attackers “in its original, unforwarded format”;
- Provide information about themselves;
- Estimate the total losses they suffered as a result of the DDoS attack;
- Provide transaction details – if the victim paid a ransom or other payment in response to the attack – including the recipient’s email address and cryptocurrency wallet address;
- Describe what specific services and operations the attack impacted;
- List IP addresses used in the DDoS attack.
The FBI isn’t alone in its request for victims to inform law enforcement when they fall victim to online attackers. Its counterpart in the United Kingdom, the National Crime Agency, has issued similar pleas, as have cybercrime police in Ireland.
Law enforcement officials also recommend that victims of attempted DDoS extortions, ransomware and other cyber-enabled shakedowns never pay demanded ransoms. But in most countries, including the United States and the United Kingdom, there are no laws that prohibit paying ransoms.
Working With Law Enforcement
A plea from law enforcement agencies to report these types of crimes – in part to help track down the operators and users of stresser/booter services – also featured prominently at Information Security Media Group’s Fraud and Data Breach Prevention Summit in London.
Detective Chief Inspector Andrew Fyfe of the City of London Police, who oversees its National Fraud Intelligence Bureau – which collects fraud reports from England, Wales and Northern Ireland, as part of the country’s Action Fraud program – highlighted DDoS attacks as an ongoing concern for British businesses.
In the last six months, Action Fraud received reports of 163 DDoS attacks, plus another 170 DDoS attacks that included an extortion demand, Fyfe said in a Tuesday presentation at the summit.
But British law enforcement officials believe that about 90 percent of cybercrime never gets reported to authorities, and there is no legal obligation to do so, Fyfe said.
Speaking on Wednesday at ISMG’s summit, Detective Constable Raymond Black, a cyber investigating officer for the Metropolitan Police Service, highlighted the upsides of sharing attack information with police. He also emphasized that sharing attack details need not lead to an investigation being launched.
Black noted that a small case – initially not reported to police – involving a September 2015 SQL injection attack and extortion demand against a London-based cigar retailer helped crack the case involving the October 2015 hack attack against London telecommunications giant TalkTalk.
Investigators learned that in both cases, the same email address – email@example.com, sent via Sigaint.org, an anonymous, darknet email service – was used to send extortion demands, all of which instructed victims to deposit cryptocurrency into the same bitcoin wallet address.
From there, Black says “server analysis and covert techniques” helped police identify a number of suspects. Five are U.K.-based, and four have pleaded guilty, while the fifth, a 15-year-old, has pleaded part-guilty and remains under investigation. Another suspect remains under investigation in the Netherlands.
With cybercrime being such a global problem, and suspects in one country often attacking victims in another, law enforcement agencies continue to intensify cross-border information sharing, for example via Europol.
Speaking at ISMG’s summit on Tuesday, Efrene G. Sakilayan, the FBI’s legal attaché in London, said he serves as the interface between every bureau field office and law enforcement agency in the United Kingdom as well as the Republic of Ireland. “My main function is to interface with local law enforcement to investigate the variety of threats that the FBI investigates worldwide,” he says.