Sunday, January 30, 2011

Anonymous DDOSers Arrested and Searched

Back in December we shared a couple blog stories about a cyber attack being called Operation Payback. In the first, Internet Anarchy: Anonymous Crowds Flex Their Muscles I discussed with UAB Justice Sciences Chair, John Sloan, some of the sociology behind these actions, especially the ideas of Diffuse Crowds and Convergence Theory. In the second article, Operation Payback Origins we dug deeper into the activities of the group behind Operation Payback, a group tied back to the internet forums at 4Chan who call themselves Anonymous. On Friday, the FBI and other law enforcement agencies around the world began to show their hand.

In a January 27th FBI press release, the FBI announced that they had conducted forty search warrants around the country to gain evidence to identify some of the key US-based actors behind the DDOS attacks. They also revealed that IDS signatures had been shared with many of the key Internet Service Providers in the country to help them identify which of their subscribers were using a DDOS attack tool called LOIC. The press release contained a warning as well:

The FBI also is reminding the public that facilitating or conducting a DDoS attack is illegal, punishable by up to 10 years in prison, as well as exposing participants to significant civil liability.

The LOIC, or Low Orbit Ion Cannon, is a tool reminiscent of the tools distributed during the controversy surrounding the Iranian Elections. We wrote about those in an article called Armchair CyberWarriors, Twitter, and the Iran Election. In the DDOS tools of ancient days (five to ten years ago -- "ancient" in Internet years), DDOS attacks were performed primarily by hacking many home computers to form a botnet, and then instructing those computers to overwhelm a target by generating massive amounts of traffic towards that target. These attacks are called a "Distributed Denial of Service" attack, or DDOS. What changed with Iran was that many individuals were being invited to join the attack by intentionally installing DDOS software on their machines.

So, who are the forty FBI search warrants served against? We won't know for a while. In the United States, a search warrant is an investigative tool, used upon demonstration of "probable cause" to gather further information that will be used to create an indictment. While law enforcement agencies typically do not identify who search warrants have been served upon, it is quite often the case, especially in protests such as this, that those served may choose to share that information to begin rallying public support for their upcoming case. If the search warrant and other information gathered provides sufficient evidence to conclusively identify a criminal and document the crimes they have performed, the law enforcement agency will ask the prosecutor's office for an indictment. (In Federal cases, this would be a prosecutor at a United States Attorney's Office, usually chosen because a significant victim or a significant number of victims are located in their jurisdiction.) Even once the indictment has been issued, it is not unusual for the indictment to be "sealed" until the accused are arrested and have had a chance to appoint an attorney and to be "arraigned" when their charges are formally presented to them in a court setting. In some other countries, such as England, the law enforcement agencies are not allowed to name the accused so early in the case.

Speaking of England, they executed their own action against the Anonymous DDOSers of Operation Payback this week. The UK's Metropolitan Police released a statement about the arrests that shared the following details:

Detectives from the Metropolitan Police Service's Police Central e-Crime Unit (PCeU) have arrested five people in connection with offences under the Computer Misuse Act 1990. The five males aged, 15, 16, 19, 20 and 26, are being held after a series of coordinated arrests at residential addresses in the West Midlands, Northants, Herts, Surrey and London at 07:00hrs today (27 January).

Anonymous responded in an Open Letter to the UK Police saying

Not only does it reveal the fact that you do not seem to understand the present-day political and technological reality, we also take this as a serious declaration of war from yourself, the UK government, to us, Anonymous, the people.

and continuing:
So our advice to you, the UK government, is to take this statement as a serious warning from the citizens of the world. We will not rest until our fellow anon protesters have been released.

These were not the first DDOSers arrested in this case. The Dutch were the first to make an arrest. First, one of the AnonOps spokespersons screwed up and left their name embedded in a PDF that they used for a press release. Alex Tapanaris and his website both disappeared the same day, as reported by Open Topic which shares a PDF showing the properties and the text of that press release. The website "TorrentFreak" posted speculations about the online monicker of the next Dutch hacker, also arrested back on December 10th. These arrests lead the AnonOps attackers (Anonymous Operations = AnonOps) to then attack the Dutch Ministry of Justice.

How This Will Go Down

Obviously no one can say exactly how these cases will go down, but a brief look at history should help the current miscreants understand what they are likely to face.

AnonOps conveniently forgets to tell people about others in their little cyber protest army who have been arrested for DDOS attacks in the past. Dmitry Guzner, age 19, was the first. New Jersey-based Dmitry Guzner received a 366 day sentence for his involvement in DDOS attacks sponsored by 4Chan's Anonymous against the Church of Scientology. Right on his heels was Brian Thomas Mettenbrink of Grand Island, Nebraska. Brian pleaded guilty to also being involved in the DDOS, and as part of his guilty plea "only" received a one year sentence. (Thanks to @lconstantin of Softpedia for reminding us of those prior examples.)

To put this in perspective, that's two hackers getting a year in jail each for attacking the Church of Scientology and causing "approximately $5,000 in damages." How much do you suppose the damage was for taking Mastercard and Visa offline?

Those who are choosing to involve themselves in this criminal behavior should take a look at the record of those who have gone before them before choosing to pick up their own criminal records.

Here's some more reading for those interested in becoming criminals, spending a year in prison, and paying between $20,000 and $37,000 of their own money by participating in an AnonOps DDOS:

Dmitriy Guzner's Guilty Plea

Dmitriy Guzner's Sentencing Documents

Brian Mettenbrink's Indictment

Brian Mettenbrink's Guilty Plea

Brian Mettenbrink's Sentencing Memo

Brian Mettenbrink's Sentencing documents, Attachments A-E including Brett having to pay the $20,000 fee that Scientology paid to Prolexic for DDOS protection.

Got Updates?

As we learn more about the forty search warrants from public sources, we'll add them here.

The Atlanta Progressive News shares that one of the Search warrants was executed at a Georgia Tech Dorm room belonging to Zhiwei "Jack" Chen.

Drifters Bar in Dixon Illinois was also searched during this investigation. The bar's computer was disassembled and the hard drive imaged, but it is believed the computer sought probably belonged to a patron who was taking advantage of the free WiFi to participate in Operation Payback.

The Guardian reveals that the UK 20 year old mentioned above is Chris Wood, who uses the AnonOps alias ColdBlood.

Saturday, January 01, 2011

2010 CyberCrime & Doing Time: Year In Review

As we look back on 2010, I'd like to thank our 132,325 Visitors who read more than 214,000 stories on the blog which is a bit more than a 10% increase over our 2009 readership. I thought it might be interesting to go through the year month by month and review what stories were most interesting to our readers, based on the number of times each article was read.


USAA Bank Latest Avalanche Scam

Iranian Cyber Army returns - target:

China Iran Cyberwar???


Fake Photo version of Zeus

Conficker.B Microsoft Warning Spam


Most Dangerous Cities for Cyber Crime

PKK Hackers Arrested in Turkey


70 Romanian Phishers & Fraudsters Arrested

Fake AV In the News


I actually didn't blog in May between grading finals and getting ready for several firsts at UAB, including our first Computer Foreniscs Camp for high schoolers, and our first National Science Foundation Research Experiences for Undergraduates in Cybercrime Investigations.

(Note: We are already taking applications for the UAB Crime REU which has three tracks, Criminal Justice, Forensic Science, and Computer Forensics. If you know an undergrad with a passion for Cybercrime investigation who would like to earn $450 per week, plus room and board, have them follow that link for an application!)

So, instead of giving you a CyberCrime & Doing Time story, let's look at MY favorite Security Blog, Krebs On

My top story in May was probably the Fraud Bazaar Hacked.


Anna Chapman and Mikhail Semenko vs. the FBI

Pro-Gaza Hackers Target Israeli Websites

IRS Malware: "Notice of Underreported Income" spam

Four Russian Spay Couples (& Two Solo Acts)

Russian Spies - Tradecraft and Follow the Money

178 International Credit Card Fraudsters Arrested


PakBugs Hackers Arrested

Stealing $10 Million, 20 cents at a time

The Future of Cyber Attack Attribution

ICE Operation In Our Sites


New Facebook Attack gives a One-Two Punch

Major Fraud Ring Busted in Largest Chinese Cybercrime Operation


17 Zeus Money Mules wanted by New York FBI

"Here You Have" spam spreads email worm

"Here You Have" Hype & Electronic Jihad


FBI's Operation ACHing Mule


Lin Mun Poo: Hacker of the Federal Reserve Bank and . . . ?

USAA Phish: Avalanche Uses many "Redirectors"

Another M00P Group Member Arrested


Oleg Nikolaenko, Mega-D Botmaster, to Stand Trial

Operation: Payback Origins

Internet Anarchy: Anonymous Crowds Flex Their Muscles