Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/28/2018
12:03 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Criminal Charges Filed in Los Angeles and Alaska in Conjunction with Seizures Of 15 Websites Offering DDoS-For-Hire Services

The Justice Department announced today the seizure of 15 internet domains associated with DDoS-for-hire services, as well as criminal charges against three defendants who facilitated the computer attack platforms.

The sites, which offered what are often called “booter” or “stresser” services, allowed paying users to launch powerful distributed denial-of-service, or DDoS, attacks that flood targeted computers with information and prevent them from being able to access the internet. Booter services such as those named in this action allegedly cause attacks on a wide array of victims in the United States and abroad, including financial institutions, universities, internet service providers, government systems, and various gaming platforms.

Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, U.S. Attorney Nicola T. Hanna of the Central District of California, U.S. Attorney Bryan Schroder of the District of Alaska, and Assistant Director Matthew Gorham of the FBI Cyber Division made the announcement.  The action against the DDoS services comes the week before the Christmas holiday, a period historically plagued by prolific DDoS attacks in the gaming world. 

On Dec. 19, pursuant to seizure warrants issued by the U.S. District Court for the Central District of California, the FBI seized the domains of 15 booter services, which represent some of the world’s leading DDoS-for-hire services.  Among these sites were critical-boot.com, ragebooter.com, downthem.org and quantumstress.net.

According to the affidavit in support of the warrant authorizing the seizure of the 15 websites, these services offered easy access to attack infrastructure, payment options that included Bitcoin, and were relatively low cost.  Each of the services was tested by the FBI, which verified those DDoS attack services offered through each of the seized websites.  While testing the various services, the FBI determined that these types of services can and have caused disruptions of networks at all levels.

In conjunction with the seizure warrants, the U.S. Attorney’s Office for the Central District of California on Dec. 19 charged Matthew Gatrel, 30, of St. Charles, Illinois, and Juan Martinez, 25, of Pasadena, California, with conspiring to violate the Computer Fraud and Abuse Act through the operation of services known as Downthem and Ampnode.  According to the criminal complaint filed in Los Angeles, Downthem offered DDoS services directly to users who wished to attack other internet users, and Ampnode offered resources designed to facilitate the creation of standalone DDoS services by customers.  Between October 2014 and November 2018, Downthem’s database showed over 2000 customer subscriptions, and had been used to conduct, or attempt to conduct, over 200,000 DDoS attacks.

On Dec. 12, the U.S. Attorney’s Office for the District of Alaska charged David Bukoski, 23, of Hanover Township, Pennsylvania, with aiding and abetting computer intrusions.   The charging documents allege that Bukoski operated Quantum Stresser, one of the longest-running DDoS services in operation.  As of Nov. 29, Quantum had over 80,000 customer subscriptions dating back to its launch in 2012.  In 2018 alone, Quantum was used to launch over 50,000 actual or attempted DDoS attacks targeting victims worldwide, including victims in Alaska and California.

“DDoS attacks are serious crimes that can cause real harm, as shown by the wide range of sectors allegedly victimized in this case,” said Assistant Attorney General Benczkowski.  “The operators and the customers of DDoS-for-hire services should be on notice that the Department of Justice will aggressively prosecute those who perpetrate malicious cyber attacks.”

“DDoS for hire services such as these pose a significant national threat,” said U.S. Attorney Schroder.  “Coordinated investigations and prosecutions such as these demonstrate the importance of cross-District collaboration and coordination with public sector partners.”   

“The attack-for-hire websites targeted in this investigation offered customers the ability to disrupt computer networks on a massive scale, undermining the internet infrastructure on which we all rely,” said U.S. Attorney Hanna.  “While this week’s crackdown will have a significant impact on this burgeoning criminal industry, there are other sites offering these services – and we will continue our efforts to rid the internet of these websites.  We are committed to seeing the internet remain a forum for the free and unfettered exchange of information.”

“Whether you launch the DDoS attack or hire a DDoS service to do it for you, the FBI considers it criminal activity,” said FBI Assistant Director Gorham.  “Working with our industry and law enforcement partners, the FBI will identify and potentially prosecute you for this activity.  We will use every tool at our disposal to combat all forms of cybercrime including DDoS activity.  We encourage all DDoS victims to contact your local FBI field office or file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov.”

Over the past five years, booter and stresser services have grown as an increasingly prevalent class of DDoS attack tools.  These types of DDoS attacks are so named because they result in the “booting” or dropping of the victim-targeted website from the internet.  Booter-based DDoS attack tools offer a low barrier to entry for users looking to engage in cyber criminal activity, representing an effective advance in internet attack technology.

For additional information on booter and stresser services and the harm that they cause, please visit: https://www.ic3.gov/media/2017/171017-2.aspx.

The charges in the indictment and criminal complaint are merely allegations, and the defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

The cases announced today are being investigated by the FBI’s Anchorage Field Office and the FBI’s Cyber Initiative and Resource Fusion Unit (CIRFU).  Additional assistance was provided by the FBI’s Chicago, Los Angeles, Memphis, and Philadelphia Field Offices and the Scranton, Pennsylvania Resident Agency; the Major Cyber Crimes Unit, Global Operations and Targeting Unit, and Money Laundering Intelligence Unit of FBI Headquarters; Defense Criminal Investigative Service; and the U.S. Attorney’s Offices for the Eastern District of Pennsylvania, Middle District of Pennsylvania, Western District of Tennessee and the Northern District of Illinois.  The United Kingdom’s National Crime Agency, the Dutch National Police – National High Tech Crime Unit, and the National Cyber-Forensics & Training Alliance made invaluable contributions.  Akamai, Bell Aliant, Cloudflare, Entertainment Software Association, Flashpoint, Google, Oath Inc., Oracle, Palo Alto Networks Unit 42, PayPal, Riot Games, ShadowDragon, SpyCloud, University of Cambridge and other valued private sector partners provided additional assistance.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.