[HN Gopher] UK sets up fake booter sites to muddy DDoS market
___________________________________________________________________
UK sets up fake booter sites to muddy DDoS market
Author : todsacerdoti
Score : 74 points
Date : 2023-03-28 17:36 UTC (5 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| coxomb wrote:
| Say what you want about 'booter' services, but a DDoS of a
| particular web presence has been a long standing weapon of
| dissidents/activists who want certain services taken down, even
| if only briefly. It's the only means of online protest we have,
| short of simply sending an e-mail to a hosting service asking for
| certain content to be taken down, or DMCA'ing them.
|
| Edit: The real pros don't use Booter-as-a-Service sites, they
| infect a bunch of IoT devices using tools they made themselves
| and hammer a specific IP or range of IPs.
| sneak wrote:
| Censorship is censorship and it's abhorrent regardless of who
| is doing it or why.
|
| Dressing it up in terms like "protest" is a smokescreen.
| joosters wrote:
| Clever idea!
|
| I wonder why they chose to tell the users when they registered,
| instead of waiting? Could they have gone ahead and let them place
| orders for DDOS attacks, to capture more proof of the users'
| criminal intent, or would that count as entrapment? Someone who
| 'merely' registered could try to claim that they were a
| researcher, but if you hit the button to DDoS someone, that's
| going to be more difficult to deny responsibility for.
|
| [Edit: Now that's making me imagine a disgruntled user suing the
| NCA for breach of contract: "I paid money for a DDoS and they
| didn't provide the service!"]
| gs17 wrote:
| Unless the UK is very different, it shouldn't be entrapment to
| let them try to buy it. IANAL, but in the US, entrapment as a
| defense requires "the defendant's lack of predisposition to
| engage in the criminal conduct".
| iudqnolq wrote:
| Which, by the way, is absolute bullcrap. A classic example is
| an undercover telling people at a methadone clinic that
| they've been cut off because of a paperwork snafus and
| begging people to share their legally prescribed methadone so
| they don't go into withdrawal. Because anyone at a clinic
| treating drug use has a predisposition to use illegal drugs,
| it can't be entrapment.
| cdot2 wrote:
| Your sentence is confusing because of the unclear use of
| "they". It sounds like in this case an undercover cop would
| come to someone asking for their controlled drugs and
| you're arguing that it should be entrapment.
| burnished wrote:
| I suspect the idea was to discourage instead of entrap/punish.
| I guess I'm also curious about the rationale, was it a
| strategic decision, a humane one, or a legal one? All of the
| above?
|
| Maybe as simple as the action being illegal and since they are
| not providing the advertised service then no crime is
| committed? I don't know how broadly applicable this is but in
| at least one state the local drinking laws boil down to 'you
| will not serve minors', perhaps something similar here.
| Analemma_ wrote:
| It probably would also help with investigations too. If Joe
| Bloggs tried to sign up to attack bobsforum.com, got warned
| off by one of these services, and then a couple weeks later
| bobsforum.com had an actual attack, they're probably going to
| knock on Joe Bloggs' door first.
| tmpz22 wrote:
| A lot of them are kids, students, etc. Gamers are a major
| demographic for this stuff.
| Consumer8735 wrote:
| They probably monitored the communities that talk about these
| services and figured that suspicions were growing. Also if you
| say that there are more services out there, then it makes
| people think twice.
| owisd wrote:
| Probably deliberate, for most a warning and a stern phone call
| will probably be enough to convince them not to try it again so
| if preventing crime rather than getting convictions is your
| goal then it's done its job.
|
| It wouldn't be entrapment unless the NCA was proactively
| coercing people into placing orders. (you can't have a contract
| for something illegal so there'd be no right of action)
| lcnPylGDnU4H9OF wrote:
| Besides entrapment, I could imagine that they do genuinely want
| to increase awareness that it's illegal (meh, "in the majority
| of countries"). It's more about discouraging people from using
| such services so they're likely not looking to prosecute the,
| so far, several thousand people who have tried to sign up for
| the services.
| doix wrote:
| If I saw that page (and the screenshot is accurate), I would
| assume it's fake. It looks like a fake ad straight out of the mid
| 00's. Those "The FBI has your location" type ads.
| Veen wrote:
| Yes, but these sites target morons; the sort of people who buy
| DDoS attacks using identifiable details and IP addresses and
| pay with traceable payment methods.
| acuozzo wrote:
| > Yes, but these sites target morons
|
| I used to wonder why so many scam e-mails use such poor
| English until I realized this.
| samtp wrote:
| It's exactly the page I would expect to see if I tried to
| download a car
| robotnikman wrote:
| That's actually a clever idea, a fake DDoS service honeypot.
| tmpz22 wrote:
| Interesting to see the UK taking the lead on this - anecdotally
| one of the premier game studios in the UK (Jagex) has had long
| standing issues with their MMORPG worlds getting knocked offline
| by DDoS tools like these, as well as individual players.
|
| A lot of infrastructure struggles under basic scaling situations,
| much less coordinated attacks on specific endpoints.
| bombcar wrote:
| The VC move would be to cut out the middleman, Jagex can sell a
| service that DDoSs itself; pay enough and they'll take down a
| world; pay more, they bring it back up.
| Nextgrid wrote:
| One of the very few times a police force appears to be doing
| something effective when it comes to cybercrime. I wish they'd do
| a lot more honeypot operations - a lot of cybercrime is very low-
| level perpetuated by kids with no/poor opsec - establishing
| honeypot presence on the major hacking forums where these kids
| congregate would do wonders. Not only will it yield actual leads
| for more serious cases, but would reduce crime to begin with if
| the markets become saturated with honeypot services in such a way
| that finding a real, "legit" one becomes impossible.
| hinata08 wrote:
| >"Users based in the UK will be contacted by the National Crime
| Agency or police and warned about engaging in cyber crime."
|
| Do people really give they actual contact details to do crimey
| activities ? I'm not a cybercriminal so I don't know about these
| sites. But if I had to do something illegal, I wouldn't use my
| actual name.
|
| It seems more like how you set someone up. And they release the
| news about this site just days before the 1st of April. Why ?
| robotnikman wrote:
| You would be surprised, a lot of people have bad opsec when it
| comes to doing stuff online. When it comes to booting it
| usually also usually involves kids and teens doing stuff like
| trying to take down minecraft servers, and a lot of them don't
| consider such details.
| mrguyorama wrote:
| A lot of times the users of these services are very dumb people
| trying to get very dumb revenge on something they perceive as a
| very dumb slight
| unethical_ban wrote:
| I heard a story from a cybersecurity pro that their former
| spouse worked for US intelligence. The spouse signed up for a
| message board for people who were trying to land a job at the
| CIA. The spouse had to use a credit card to sign up. The site
| was a honeypot by the CIA.
| autoexec wrote:
| > Do people really give they actual contact details to do
| crimey activities ?
|
| You'd hope not, but lots of people do when it comes to piracy.
| Private trackers often require accounts and interviews which
| can cause someone to leave a pretty extensive digital trail if
| they aren't careful including a clear record of everything they
| uploaded and when.
| rdtsc wrote:
| > Do people really give they actual contact details to do
| crimey activities ?
|
| On one hand we could say that anything helps: if they catch the
| stupid ones, that's still great. One the other hand, that may
| be all they're after, if they're compensated or promoted based
| on cases solved. "Last quarter we caught 120 criminals in our
| clever snare". That looks very nice on a report so it maybe be
| that's all they're happy doing.
| rapind wrote:
| I feel like catching the dumb ones is like using antibiotics.
| The smarter survivors share information and procreate (forums
| etc.).
| yelling_cat wrote:
| They won't be snagging professionals with this, and in this
| specific case I think that's fine.
|
| I expect most of the people who'd fall for it are young or
| immature people, trying to get back at someone who beat them in
| a game or argued with them on social media. For whatever reason
| many of these folks see DDoSing, sending death threats and even
| swatting as "pranks" instead of crimes. A friendly reminder
| that doing this stuff can get them in serious trouble could nip
| that behavior in the bud before something tragic happens.
| vlovich123 wrote:
| Assuming the legal system uses it as a teaching exercise. For
| some reason I feel like it's going to be used to throw the
| book at people who would be better served by guidance /
| opportunities instead.
| _Wintermute wrote:
| From what I've heard on DarkNet Diaries, the UK courts seem
| quite good at picking up intelligent youngsters involved in
| hacking and giving them a chance to move into
| cybersecurity.
| mulmen wrote:
| But the same systemic weakness that enables Swatting can be
| exploited here. Specifically that the government assumes good
| faith. Instead of sending a SWAT team to your house I can
| sign up for a DDoS in your name.
| incone123 wrote:
| I'd like to think that the investigation would be more
| sophisticated than just see what name is on the ddos
| request.
| [deleted]
| [deleted]
| eli wrote:
| And then you'll get a warning from the police? While not
| ideal, that's hardly the same as a potentially fatal
| swatting
| marcosdumay wrote:
| Depends entirely on how the police reacts, but it could
| as well lead to them confiscating all of your computers
| and putting you in a jail.
|
| Of course, swatting is worse. An on-demand terrorist
| attack by phone call is hard to top. But this one can be
| pretty bad too. Well, or maybe not, because it's not the
| starting evidence that makes it bad.
| bragr wrote:
| I remember reading about a guy who set up a fake hitman for
| hire site and got people all the time contacting him to whack
| their spouses or whatever, and would provide all the needed
| details. If the people persisted, he'd pass them onto the
| police.
|
| Edit: found it: RentAHitman.com
|
| https://boingboing.net/2022/01/11/how-rentahitman-com-went-f...
|
| https://www.reddit.com/r/AMA/comments/v5422p/i_operate_a_fak...
| kube-system wrote:
| > Despite the claims made by founder Guido Fanelli,
| RentAHitman.com does not actually comply with the privacy
| laws as sort forth in the Hitman Information Privacy &
| Protection Act of 1964 (also known as HIPPA).
|
| That is hilarious. I've always wondered what HIPPA was, now I
| know. ;)
| jabroni_salad wrote:
| Cheaters always seem to think they are in the right with what
| they are doing. I don't see why booters (kicking people off of
| p2p multiplayer games) would even realize that they are doing a
| crime, much less doing something wrong. It's just another
| variety of cheating.
| psychphysic wrote:
| The websites will offer PayPal and then email people who apply.
|
| This is why we need a robust crypto system.
|
| So that you can pay for whatever you want without worrying
| about giving away who you are.
| mlyle wrote:
| > This is why we need a robust crypto system.
|
| I don't think the need to be able to buy DDoS without getting
| caught is the most compelling argument. Do you think being
| able to packet people is a social good?
| autoexec wrote:
| It's been used by hacktivists before, although people can
| already pay with bitcoin or other anonymous forms of
| payment anyway, so even if you accept the DoS as a valid
| form of protest (and I'm not sold on that personally) we
| don't really need any new crypto system
| GauntletWizard wrote:
| Organic, home-grown DDOS attacks with dozens to thousands
| of people using home-internet grade connection, such as
| the infamous 4-chan LOIC, can reasonably be compared to a
| form of protest. Loudly blocking the way into a business
| is pretty common among strikers.
|
| For profit DDOS attacks using significantly stolen
| bandwidth from compromised machines are clearly a
| different thing entirely. Where you draw the line between
| them is a discussion topic.
| NikolaNovak wrote:
| I mean... I applaud your honesty and pragmatism as to what
| are the main reasons why we'd want a working crypto currency
| system. It's refreshing :)
| medellin wrote:
| Almost all crypto at this point can be linked back to a
| person since it's mostly bought through a few large exchanges
| that the government has complete insight into.
|
| The only way for it to not be traced outside of monero and
| maybe a few others that have no adoption is buy in cash in
| person and transfer it to a never before used address. Mine
| it yourself and never mix it with your other funds.
| a13n wrote:
| Could be based on IP address too, not just given contact info.
| ipaddr wrote:
| Spoof an ip address? Unheard of.
| layer8 wrote:
| I'm pretty sure the identification will be by IP and possibly
| email address, similar to how bittorrent seeders are identified
| for copyright infringement.
___________________________________________________________________
(page generated 2023-03-28 23:00 UTC)