Attacks/Breaches
1/25/2013
12:08 PM
Connect Directly
RSS
E-Mail
50%
50%

Anonymous DDoS Attackers In Britain Sentenced

Two men receive jail time for botnet attacks on PayPal, MasterCard, Visa and the British anti-piracy lobby as part of Operation Payback.

Two men have been jailed in Britain for their role in launching distributed denial-of-service (DDoS) attacks against a number of high-profile sites, including PayPal.

"It is intolerable that when an individual or a group disagrees with a particular entity's activities, they should be free to curtail that activity by means of attacks such as those which took place in this case," said Judge Peter Testar, when he handed down his decision in the case, according to news reports.

British police had arrested five men and one minor as part of their investigation into the DDoS attacks. While one man was released without being charged and the minor released with a warning, the others were charged with violating the United Kingdom's Computer Misuse Act 1990. The group's ringleader, Christopher Weatherhead, 22, pleaded innocent to that charge, but was found guiltyin December 2012, and this week received a sentence of 18 months in jail. Meanwhile, Ashley Rhodes, 27, who pleaded guilty to the charge against him, received a jail sentence of seven months.

[ The Spamhaus group thwarted a Russian botnet. Read more at Virut Malware Botnet Torpedoed By Security Researchers. ]

A third man, Peter David Gibson, 24, pleaded guilty and was sentenced to six months imprisonment -- suspended for two years -- and 100 hours community service after the court found that he'd played a lesser role in the attacks. A fourth man, Jake Alexander Birchall, 18, who's currently on bail, last year pleaded guilty to the charge and is due to be sentenced on Feb. 1.

This appears to be the first time that people have been imprisoned in Britain for launching DDoS attacks, reportedthe BBC.

British police commended the sentencing. "Perpetrators of distributed denial-of-service attacks laud them as civil protests, but they can be incredibly damaging to the finances and reputations of online businesses. Simultaneously, they impact on the general public's ability to use online services," said detective chief inspector Terry Wilson of the Metropolitan Police Central e-Crime Unit, in a statement. "These men provided the infrastructure for such attacks. The sentences they have received are indicative of how serious the crime is and the tough approach the courts will take to such criminals."

Authorities said Weatherhead's group -- operating under such nicknames as "Nerdo" and "NikonElite" -- built a botnetthat they used to launch the attacks. While most botnets are comprised of surreptitiously exploited PCs, investigators said Weatherhead's botnet was comprised, at least in part, of volunteers' PCs, with many of the volunteers having been cultivated via Twitter and Facebook.

"The group targeted a number of companies from the digital entertainment industry that make up the anti-piracy lobby -- i.e., those taking legal actions against illegal file-sharing -- including 'Ministry of Sound' and the 'British Phonographic Industry,'" read a police statement. "The group then switched their attentions to companies including MasterCard and PayPal after their withdrawal of services from WikiLeaks."

PayPal had previously told the court that it incurred approximately $5.5 million in damages as a result of the attacks, which were conducted under the Anonymous banner as part of Operation Payback, which began after PayPal stopped processing payments on behalf of Wau Holland Foundation, which supported WikiLeaks. Along with the DDoS attacks, visitors to PayPal and other targeted websites were also redirected to a site that read, "You've tried to bite the Anonymous hand. You angered the hive and now you are being stung."

Unbeknownst to many of the attackers, however, their tool of choice -- dubbed Low Orbit Ion Cannon-- included the user's IP address with every attack packet, unless users took steps to hide it. As a result, PayPal was able to capture the IP addresses of many people who participated in the DDoS attacks, and it shared the information with investigators, who cross-referenced it with service providers' subscriber records to identify the people involved.

The "Nerdo" group leaders, however, were more sophisticated and used VPN services to hide their identities. Ultimately, however, their real identities were unraveled by British police, and in early 2011 the four men were busted.

"The investigators are really to be commended for breaking down the wall of anonymity that was put up in order to prevent the activity of these conspirators being interrupted," Judge Testar told the court.

The prosecution of these four men appears to be the end of prosecutions involving U.K. Operation Payback participants. British investigators have previously stated that unlike their U.S. law enforcement counterparts, who seem to be busting every Operation Payback participantthey can find, British police have preferred to target the ringleaders rather than the foot soldiers.

Cybercriminals are not only exploiting small and midsize businesses -- they're targeting them. While thefts of hundreds of thousands or even millions of credit card numbers and personal information records make headlines, many small companies' accounts have been cleaned out. In the SMBs In The Crosshairs report, we identify how SMBs are exploited, where their security fails and how they can shore up their defenses. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Binstock
50%
50%
Andrew Binstock,
User Rank: Apprentice
1/28/2013 | 7:55:18 AM
re: Anonymous DDoS Attackers In Britain Sentenced
"British police have preferred to target the ringleaders rather than the foot soldiers." Very curious to know the rationale. Is it part of a larger policy orientation, or are the laws substantially different in UK making convictions of 'foot soldiers' impractical, or is it driven by an outside factor, such as cost?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.