Hitting the Books: How hackers turned cybercrime into a commercial service

As anyone who regularly games online can attest, DDoS (dedicated denial of service) attacks are an irritatingly common occurrence on the internet. Drawing on the combined digital might of a geographically diffuse legion of zombified PCs, hackers are able to swamp game servers and prevent players from logging on for hours or days at a time. The problem has metastasized in recent years as enterprising hackers have begun to package their botnets and spamming tools into commercial offerings, allowing any Tom, Dick, and Script-kiddie rental access to the same power.

It’s a big internet out there, and bad actors are plentiful. There are worse things than spammers and scammers swimming in the depths of the Dark Web. In his new book, Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks, Dr. Scott J Shapiro, Professor of Law and Philosophy at Yale Law School traces the internet’s illicit history through five of the biggest attacks on digital infrastructure ever recorded.

FANCY BEAR GOES PHISHING: The Dark History of the Information Age, in Five Extraordinary Hacks by Scott J. Shapiro. Published by Farrar, Straus and Giroux. Copyright © 2023 by Scott J. Shapiro. All rights reserved.

Not all Denial of Service attacks use botnets. In 2013, the Syrian Electronic Army (SEA)—the online propaganda arm of the brutal Bashar al-Assad regime—hacked into Melbourne IT, the registrar that sold the nytimes.com domain name to The New York Times. The SEA altered the DNS records so that nytimes.com pointed to SEA’s website instead. Because Melbourne IT contained the authoritative records for the Times’ website, the unauthorized changes quickly propagated around the world. When users typed in the normal New York Times domain name, they ended up at a murderous organization’s website.

Conversely, not all botnets launch Denial of Service attacks. Botnets are, after all, a collection of many hacked devices governed by the attacker remotely, and those bots can be used for many purposes. Originally, botnets were used for spam. The Viagra and Nigerian Prince emails that used to clutter inboxes were sent from thousands of geographically distributed zombie computers. In these cases, the attacker reaches out to their army of bots, commanding them to send tens of thousands of emails a day. In 2012, for example, the Russian Grum botnet sent over 18 billion spam emails a day from 120,000 infected computers, netting its botmaster $2.7 million over three years. Botnets are excellent spam infrastructure because it’s hard to defend against them. Networks usually use “block lists”: lists of addresses that they will not let in. To block a botnet, however, one would have to add the addresses of thousands of geographically disbursed servers to the list. That takes time and money.

Because the malware we have seen up till now — worms, viruses, vorms, and wiruses.— could not work together, it was not useful for financially motivated crime. Botnet malware, on the other hand, is because the botnets it creates are controllable. Botmasters are capable of issuing orders to each bot, enabling them to collaborate. Indeed, botnet malware is the Swiss Army knife of cybercrime because botmasters can tell bots in their thrall to implant malware on vulnerable machines, send phishing emails, or engage in click fraud allowing botnets to profit from directing bots to click pay-per-click ads. Click fraud is especially lucrative, as Paras Jha would later discover. In 2018, the ZeroAccess botnet could earn $100,000 a day in click fraud. It commanded a million infected PCs spanning 198 countries, including the island nation of Kiribati and the Himalayan Kingdom of Bhutan.

Botnets are great DDoS weapons because they can be trained on a target. One day in February 2000, the hacker MafiaBoy knocked out Fifa.com, Amazon.com, Dell, E*TRADE, eBay, CNN, as well as Yahoo!, then the largest search engine on the internet. He overpowered these web servers by commandeering computers in forty-eight different universities and joining them together into a primitive botnet. When each sent requests to the same IP address at the same time, the collective weight of the requests crashed the website.

After taking so many major websites off-line, MafiaBoy was deemed a national security threat. President Clinton ordered a countrywide manhunt to find him. In April 2000, MafiaBoy was arrested and charged, and in January 2001 he pled guilty to fifty-eight charges of Denial of Service attacks. Law enforcement did not reveal MafiaBoy’s real name, as this national security threat was only fifteen years old. MafiaBoy later revealed himself to be Michael Calce. “You know I’m a pretty calm, collected, cool person,” Calce reported. “But when you have the president of the United States and attorney general basically calling you out and saying, ‘We’re going to find you’ . . . at that point I was a little bit worried.” Calce now works in the cybersecurity industry as a white hat — a good hacker, as opposed to a black hat, after serving five months in juvenile detention.

Both MafiaBoy and the VDoS crew were adolescent boys who crashed servers. But whereas MafiaBoy did it for the lulz, VDoS did it for the money. Indeed, these teenage Israeli kids were pioneering tech entrepreneurs. They helped launch a new form of cybercrime: DDoS as a service. DDoS as a service is a subscription-based model that gives subscribers access to a botnet to launch either a daily quota or unlimited attacks, depending on the price. DDoS providers are known as booter services or stressor services. They come with user-friendly websites that enable customers to choose the type of account, pay for subscriptions, check status of service, launch attacks, and receive tech support.

VDoS advertised their booter service on Hack Forums, the same site on which, according to Coelho, Paras Jha spent hours. On their website, www.vdos-s.com, VDoS offered the following subscription services: Bronze ($19.99/month), Silver ($29.99/month), Gold ($39.99/month), and VIP ($199.99/month) accounts. The higher the price, the more attack time and volume. At its peak in 2015, VDoS had 1,781 subscribers. The gang had a customer service department and, for a time, accepted PayPal. From 2014 to 2016, VDoS earned $597,862, and it launched 915,287 DDoS attacks in one year.

VDoS democratized DDoS. Even the most inexperienced user could subscribe to one of these accounts, type in a domain name, and attack its website. “The problem is that this kind of firepower is available to literally anyone willing to pay thirty dollars a month,” Allison Nixon, director of security research at business-risk-intelligence firm Flashpoint, explained. “Basically what this means is that you must have DDoS protection to participate on the internet. Otherwise, any angry young teenager is going to be able to take you off-line in a heartbeat.” Even booter services need DDoS protection. VDoS hired Cloudflare, one of the largest DDoS mitigation companies in the world.

DDoS as a service was following a trend in cybercrime known as “malware as a service.” Where users had once bought information about software vulnerabilities and tried to figure out how to exploit those vulnerabilities themselves, or had bought malicious software and tried to figure out how to install and execute it, they could now simply pay for the use of malware and hack with the click of a button, no technical knowledge required.

Because customers who use DDoS as a service are inexperienced, they are particularly vulnerable to scams. Fraudsters often advertise booter services on public discussion boards and accept orders and payment, but do not launch the promised attacks. Even VDoS, which did provide DDoS service, did so less aggressively than advertised. When tested by Flashpoint, VDoS botnet never hit the promised fifty gigabits/second maximum, ranging instead from six to fourteen gigabits/second.

The boards that advertise booter services, as Hack Forums once did, are accessible to anyone with a standard browser and internet connection. They exist on the Clear Web, not on the so-called Dark Web. To access sites on the Dark Web you must use a special network, known as Tor, typically using a special browser known as the Tor Browser. When a user tries to access a website on the Dark Web, the Tor Browser does not request web pages directly. It chooses three random sites—known as nodes—through which to route the request. The first node knows the original sender, but not the ultimate destination. The second node knows neither the original source nor the ultimate destination—it recognizes only the first node and the third node. The third node knows the ultimate destination, but not the original sender. In this way, the sender and receiver can communicate with each other without either knowing the other’s identity.

The Dark Web is doubly anonymous. No one but the website owner knows its IP address. No one but the visitor knows that they are accessing the website. The Dark Web, therefore, tends to be used by political dissidents and cybercriminals—anyone who needs total anonymity. The Dark Web is legal to browse, but many of its websites offer services that are illegal to use. (Fun fact: the U.S. Navy created the Dark Web in the mid-1990s to enable their intelligence agents to communicate confidentially.)

It might be surprising that DDoS providers could advertise on the Clear Web. After all, DDoS-ing another website is illegal everywhere. In the United States, one violates the Computer Fraud and Abuse Act if one “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization,” where damage includes “any impairment to the . . . availability of data, a program, a system, or information.” To get around this, booter services have long argued they perform a legitimate “stressor” function, providing those who set up web pages a means to stress test websites. Indeed, booter services routinely include terms of service that prohibit attacks on unauthorized sites and disclaim all responsibility for any such attacks.

In theory, stressor sites play an important function. But only in theory. Private chats between VDoS and its customers indicated that they were not stressing their own websites. As a booter service provider admitted to Cambridge University researchers, “We do try to market these services towards a more legitimate user base, but we know where the money comes from.”

[Read More…]