The worldwide— and illegal — cyberattack-for-hire business flourishes. Got a grievance against a retailer? A former spouse bugging you? Plenty of online thugs will take astonishingly small sums of money and launch a cyberattack on your behalf.
The hackers-for-hire flood a website with malicious traffic and knock it off line.
Fed up with such malignant attacks, law enforcement officials around the world took action, announcing Wednesday that authorities in 12 countries, including the United States, had seized servers and arrested four top administrators of webstresser.org, crippling what is believed to be the most successful of the cyberattack-for-hire platforms.
The high-tech crime unit of Dutch police and the U.K.’s National Crime Agency led the investigation, according to Europol, the European Union’s law enforcement agency.
More than 136,000 people had signed up for webstresser.org’s attack services, and the online platform’s hackers launched more than 4 million Direct Denial of Service (DDoS) attacks in recent years, Europol said. In a DDoS attack, hackers overwhelm a targeted website or network with traffic, causing it to crash.
“The orchestrated attacks targeted critical online services offered by banks, government institutions and police forces, as well as victims in the gaming industry,” Europol said in a statement.
“The damage of these attacks is substantial,” the Dutch police said in a statement on Reddit, a discussion website. “Victims are out of business for a period of time.”
Researchers said the takedown of webstresser.org underscores how services offered by criminal hackers have filtered from the underground dark web, where criminals and anarchists lurk, to platforms that appear legitimate. And they have tens of thousands of clients, some with petty grievances.
“People are doing DDoS attacks for strange reasons, like if they lose in an online game, they attack the server. Or if they just don’t like a football team, they DDoS that football team’s website,” said Ben Herzberg, director of threat research at Imperva, a Redwood Shores, California, company that defends clients from such attacks.
“You give people cheap weapons and anonymity, and they know that they will probably not get caught, and you get mayhem,” Herzberg said.
It might seem initially like a lark to those who launch such attacks.
“They attack their school. They attack people they get in internet arguments with. They attack websites. They have a hammer, and everything looks like a nail,” said Allison Nixon, security research director at Flashpoint, a dark web intelligence firm based in New York.
Researchers say motives vary from “extortion, to attacks seeking media attention, to anticompetitive practices using DDoS, to harassment of one’s exes, or harassment against a former employer,” Nixon said in an email.
Asked how many such services exist, she said “tons.” Another expert, Andrew Lloyd, president of Corero Network Security, said “hundreds” of sites offer “stresser” or “booter” services, called such because they boot people offline.
Researchers widely believe that webstresser.org is the largest hacker-for-hire platform.
The FBI warned citizens last October that using such services, or paying others to carry out attacks, is punishable under the Computer Fraud and Abuse Act, and could lead to "significant" jail time and fines.
In a report earlier this month, Corero said DDoS attacks have doubled in frequency in the past six months alone, with some businesses suffering 50 attacks a day.
“Almost all the attacks are rented,” Lloyd said, meaning that the attackers were hired by a third party. “The vast majority of attacks are less than 10 minutes.”
If done with skill, a short attack can inflict significant harm.
“A less-than-10-minute attack can cause someone to be offline for hours, if not days,” Lloyd said, as tech workers for targeted networks reboot systems and mitigate damage.
Webstresser.org offered levels of service for all budgets, ranging from $18.99 for one month to $999 for a heavy-duty three-month plan, depending on the caliber of digital ammunition deployed.
“While the lowest-tier account is only able to push enough traffic to take down a home user, Flashpoint analysts assess with high confidence that the higher-tier accounts can likely push much larger attacks,” Flashpoint said in a March 23 report on webstresser.org.
The model of offering criminal services on an online platform is “making cybercrime as easy as shopping online,” said Gregory Webb, chief executive of Bromium, a Cupertino, California, cybersecurity firm.
In actions this week, law enforcement arrested webstresser.org administrators in the United Kingdom, Croatia, Canada and Serbia, Europol said. Clients of the platform were targeted in the Netherlands, Italy, Spain, Croatia, the United Kingdom, Australia, Canada and Hong Kong, it added.
Nixon, of Flashpoint, said laws have not kept pace with the desire of law enforcement to crack down on criminal hacker platforms.
“Booter owners have only been getting arrested in the past three years or so, and a lot of hard work had to be done in each country to figure out how to use outdated laws to support going after these services which are causing a lot of harm,” Nixon said.