[HN Gopher] UK sets up fake booter sites to muddy DDoS market ___________________________________________________________________ UK sets up fake booter sites to muddy DDoS market Author : todsacerdoti Score : 74 points Date : 2023-03-28 17:36 UTC (5 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | coxomb wrote: | Say what you want about 'booter' services, but a DDoS of a | particular web presence has been a long standing weapon of | dissidents/activists who want certain services taken down, even | if only briefly. It's the only means of online protest we have, | short of simply sending an e-mail to a hosting service asking for | certain content to be taken down, or DMCA'ing them. | | Edit: The real pros don't use Booter-as-a-Service sites, they | infect a bunch of IoT devices using tools they made themselves | and hammer a specific IP or range of IPs. | sneak wrote: | Censorship is censorship and it's abhorrent regardless of who | is doing it or why. | | Dressing it up in terms like "protest" is a smokescreen. | joosters wrote: | Clever idea! | | I wonder why they chose to tell the users when they registered, | instead of waiting? Could they have gone ahead and let them place | orders for DDOS attacks, to capture more proof of the users' | criminal intent, or would that count as entrapment? Someone who | 'merely' registered could try to claim that they were a | researcher, but if you hit the button to DDoS someone, that's | going to be more difficult to deny responsibility for. | | [Edit: Now that's making me imagine a disgruntled user suing the | NCA for breach of contract: "I paid money for a DDoS and they | didn't provide the service!"] | gs17 wrote: | Unless the UK is very different, it shouldn't be entrapment to | let them try to buy it. IANAL, but in the US, entrapment as a | defense requires "the defendant's lack of predisposition to | engage in the criminal conduct". | iudqnolq wrote: | Which, by the way, is absolute bullcrap. A classic example is | an undercover telling people at a methadone clinic that | they've been cut off because of a paperwork snafus and | begging people to share their legally prescribed methadone so | they don't go into withdrawal. Because anyone at a clinic | treating drug use has a predisposition to use illegal drugs, | it can't be entrapment. | cdot2 wrote: | Your sentence is confusing because of the unclear use of | "they". It sounds like in this case an undercover cop would | come to someone asking for their controlled drugs and | you're arguing that it should be entrapment. | burnished wrote: | I suspect the idea was to discourage instead of entrap/punish. | I guess I'm also curious about the rationale, was it a | strategic decision, a humane one, or a legal one? All of the | above? | | Maybe as simple as the action being illegal and since they are | not providing the advertised service then no crime is | committed? I don't know how broadly applicable this is but in | at least one state the local drinking laws boil down to 'you | will not serve minors', perhaps something similar here. | Analemma_ wrote: | It probably would also help with investigations too. If Joe | Bloggs tried to sign up to attack bobsforum.com, got warned | off by one of these services, and then a couple weeks later | bobsforum.com had an actual attack, they're probably going to | knock on Joe Bloggs' door first. | tmpz22 wrote: | A lot of them are kids, students, etc. Gamers are a major | demographic for this stuff. | Consumer8735 wrote: | They probably monitored the communities that talk about these | services and figured that suspicions were growing. Also if you | say that there are more services out there, then it makes | people think twice. | owisd wrote: | Probably deliberate, for most a warning and a stern phone call | will probably be enough to convince them not to try it again so | if preventing crime rather than getting convictions is your | goal then it's done its job. | | It wouldn't be entrapment unless the NCA was proactively | coercing people into placing orders. (you can't have a contract | for something illegal so there'd be no right of action) | lcnPylGDnU4H9OF wrote: | Besides entrapment, I could imagine that they do genuinely want | to increase awareness that it's illegal (meh, "in the majority | of countries"). It's more about discouraging people from using | such services so they're likely not looking to prosecute the, | so far, several thousand people who have tried to sign up for | the services. | doix wrote: | If I saw that page (and the screenshot is accurate), I would | assume it's fake. It looks like a fake ad straight out of the mid | 00's. Those "The FBI has your location" type ads. | Veen wrote: | Yes, but these sites target morons; the sort of people who buy | DDoS attacks using identifiable details and IP addresses and | pay with traceable payment methods. | acuozzo wrote: | > Yes, but these sites target morons | | I used to wonder why so many scam e-mails use such poor | English until I realized this. | samtp wrote: | It's exactly the page I would expect to see if I tried to | download a car | robotnikman wrote: | That's actually a clever idea, a fake DDoS service honeypot. | tmpz22 wrote: | Interesting to see the UK taking the lead on this - anecdotally | one of the premier game studios in the UK (Jagex) has had long | standing issues with their MMORPG worlds getting knocked offline | by DDoS tools like these, as well as individual players. | | A lot of infrastructure struggles under basic scaling situations, | much less coordinated attacks on specific endpoints. | bombcar wrote: | The VC move would be to cut out the middleman, Jagex can sell a | service that DDoSs itself; pay enough and they'll take down a | world; pay more, they bring it back up. | Nextgrid wrote: | One of the very few times a police force appears to be doing | something effective when it comes to cybercrime. I wish they'd do | a lot more honeypot operations - a lot of cybercrime is very low- | level perpetuated by kids with no/poor opsec - establishing | honeypot presence on the major hacking forums where these kids | congregate would do wonders. Not only will it yield actual leads | for more serious cases, but would reduce crime to begin with if | the markets become saturated with honeypot services in such a way | that finding a real, "legit" one becomes impossible. | hinata08 wrote: | >"Users based in the UK will be contacted by the National Crime | Agency or police and warned about engaging in cyber crime." | | Do people really give they actual contact details to do crimey | activities ? I'm not a cybercriminal so I don't know about these | sites. But if I had to do something illegal, I wouldn't use my | actual name. | | It seems more like how you set someone up. And they release the | news about this site just days before the 1st of April. Why ? | robotnikman wrote: | You would be surprised, a lot of people have bad opsec when it | comes to doing stuff online. When it comes to booting it | usually also usually involves kids and teens doing stuff like | trying to take down minecraft servers, and a lot of them don't | consider such details. | mrguyorama wrote: | A lot of times the users of these services are very dumb people | trying to get very dumb revenge on something they perceive as a | very dumb slight | unethical_ban wrote: | I heard a story from a cybersecurity pro that their former | spouse worked for US intelligence. The spouse signed up for a | message board for people who were trying to land a job at the | CIA. The spouse had to use a credit card to sign up. The site | was a honeypot by the CIA. | autoexec wrote: | > Do people really give they actual contact details to do | crimey activities ? | | You'd hope not, but lots of people do when it comes to piracy. | Private trackers often require accounts and interviews which | can cause someone to leave a pretty extensive digital trail if | they aren't careful including a clear record of everything they | uploaded and when. | rdtsc wrote: | > Do people really give they actual contact details to do | crimey activities ? | | On one hand we could say that anything helps: if they catch the | stupid ones, that's still great. One the other hand, that may | be all they're after, if they're compensated or promoted based | on cases solved. "Last quarter we caught 120 criminals in our | clever snare". That looks very nice on a report so it maybe be | that's all they're happy doing. | rapind wrote: | I feel like catching the dumb ones is like using antibiotics. | The smarter survivors share information and procreate (forums | etc.). | yelling_cat wrote: | They won't be snagging professionals with this, and in this | specific case I think that's fine. | | I expect most of the people who'd fall for it are young or | immature people, trying to get back at someone who beat them in | a game or argued with them on social media. For whatever reason | many of these folks see DDoSing, sending death threats and even | swatting as "pranks" instead of crimes. A friendly reminder | that doing this stuff can get them in serious trouble could nip | that behavior in the bud before something tragic happens. | vlovich123 wrote: | Assuming the legal system uses it as a teaching exercise. For | some reason I feel like it's going to be used to throw the | book at people who would be better served by guidance / | opportunities instead. | _Wintermute wrote: | From what I've heard on DarkNet Diaries, the UK courts seem | quite good at picking up intelligent youngsters involved in | hacking and giving them a chance to move into | cybersecurity. | mulmen wrote: | But the same systemic weakness that enables Swatting can be | exploited here. Specifically that the government assumes good | faith. Instead of sending a SWAT team to your house I can | sign up for a DDoS in your name. | incone123 wrote: | I'd like to think that the investigation would be more | sophisticated than just see what name is on the ddos | request. | [deleted] | [deleted] | eli wrote: | And then you'll get a warning from the police? While not | ideal, that's hardly the same as a potentially fatal | swatting | marcosdumay wrote: | Depends entirely on how the police reacts, but it could | as well lead to them confiscating all of your computers | and putting you in a jail. | | Of course, swatting is worse. An on-demand terrorist | attack by phone call is hard to top. But this one can be | pretty bad too. Well, or maybe not, because it's not the | starting evidence that makes it bad. | bragr wrote: | I remember reading about a guy who set up a fake hitman for | hire site and got people all the time contacting him to whack | their spouses or whatever, and would provide all the needed | details. If the people persisted, he'd pass them onto the | police. | | Edit: found it: RentAHitman.com | | https://boingboing.net/2022/01/11/how-rentahitman-com-went-f... | | https://www.reddit.com/r/AMA/comments/v5422p/i_operate_a_fak... | kube-system wrote: | > Despite the claims made by founder Guido Fanelli, | RentAHitman.com does not actually comply with the privacy | laws as sort forth in the Hitman Information Privacy & | Protection Act of 1964 (also known as HIPPA). | | That is hilarious. I've always wondered what HIPPA was, now I | know. ;) | jabroni_salad wrote: | Cheaters always seem to think they are in the right with what | they are doing. I don't see why booters (kicking people off of | p2p multiplayer games) would even realize that they are doing a | crime, much less doing something wrong. It's just another | variety of cheating. | psychphysic wrote: | The websites will offer PayPal and then email people who apply. | | This is why we need a robust crypto system. | | So that you can pay for whatever you want without worrying | about giving away who you are. | mlyle wrote: | > This is why we need a robust crypto system. | | I don't think the need to be able to buy DDoS without getting | caught is the most compelling argument. Do you think being | able to packet people is a social good? | autoexec wrote: | It's been used by hacktivists before, although people can | already pay with bitcoin or other anonymous forms of | payment anyway, so even if you accept the DoS as a valid | form of protest (and I'm not sold on that personally) we | don't really need any new crypto system | GauntletWizard wrote: | Organic, home-grown DDOS attacks with dozens to thousands | of people using home-internet grade connection, such as | the infamous 4-chan LOIC, can reasonably be compared to a | form of protest. Loudly blocking the way into a business | is pretty common among strikers. | | For profit DDOS attacks using significantly stolen | bandwidth from compromised machines are clearly a | different thing entirely. Where you draw the line between | them is a discussion topic. | NikolaNovak wrote: | I mean... I applaud your honesty and pragmatism as to what | are the main reasons why we'd want a working crypto currency | system. It's refreshing :) | medellin wrote: | Almost all crypto at this point can be linked back to a | person since it's mostly bought through a few large exchanges | that the government has complete insight into. | | The only way for it to not be traced outside of monero and | maybe a few others that have no adoption is buy in cash in | person and transfer it to a never before used address. Mine | it yourself and never mix it with your other funds. | a13n wrote: | Could be based on IP address too, not just given contact info. | ipaddr wrote: | Spoof an ip address? Unheard of. | layer8 wrote: | I'm pretty sure the identification will be by IP and possibly | email address, similar to how bittorrent seeders are identified | for copyright infringement. ___________________________________________________________________ (page generated 2023-03-28 23:00 UTC)