Europol Announces DD4BC Arrests

DDoS , DDoS Attacks

DDoS for Bitcoin Extortion Gang Targeted in 'Operation Pleiades' Europol Announces DD4BC Arrests

European police have arrested a "main target" as part of a previously undisclosed law enforcement effort, dubbed Operation Pleiades, against the distributed denial-of-service attack gang called DD4BC.

See Also: Stop Fraud, Not Customers: Focus On Good User Experience

The group - its name is short for "DDoS for bitcoin" - has gained notoriety by threatening to disrupt targeted organizations' websites, and carrying through on those threats unless they pay the group off in bitcoins.

Authorities say that while the group initially ran Bitcoin extortion campaigns that primarily targeted the online gambling sector, it's since broadened its activities to focus on numerous high-profile organizations, including businesses in the financial services and entertainment sectors. Individual ransom demands the group has made - at least ones which have come to light - typically demand 100 bitcoins ($45,000), security experts say.

But on Jan. 12, the association of European police agencies, known as Europol, announced that its European Cybercrime Center, EC3, helped coordinate an operation that resulted in the arrest of a main target and another suspect. As part of the operation, which occurred last month - from Dec. 15 to 16 - police also searched multiple properties and seized "an extensive amount of evidence," much of which is no doubt now being subjected to digital forensic analysis.

A Europol spokeswoman tells Information Security Group that both of the arrests were made in Bosnia and Herzegovina. The country - capital: Sarajevo - is located in southeastern Europe on the Balkan Peninsula. Europol says that Britain's Metropolitan Police Cyber Crime Unit helped identify "key members of the organized network" located in Bosnia and Herzegovina, and that law enforcement agents from the country, as well as Austria, Germany and the United Kingdom, ran the operation in coordination with Europol.

Police Appeal to Victims: Work With Us

Authorities say they've been tracking DD4BC since it launched in mid-2014. And Europol says that it believes the DDoS extortion attacks - carried out by the likes of DD4BC, the so-called Armada Collective and others - are on the rise, and driven in part by their ability to use pseudonymous payment mechanisms that make it difficult for investigators to "follow the money" as it flows from victims to crooks (see DDoS: 4 Attack Trends to Watch in 2016).

"This type of extortion attack has become a well-established criminal enterprise and has affected thousands of victims globally, with the number of unreported incidents believed to be much higher," Europol says. "The absence of reporting by private companies and individuals poses particular difficulties in law enforcement's efforts to prosecute these cyber threats."

Wil van Gemert, Europol's deputy director of operations, says the DD4BC crackdown happened in part thanks to targeted organizations working with police, including alerting authorities when they were the victims of an attempted shakedown (see Irish Cybercrime Conference Targets Top Threats). "Police actions such as Operation Pleiades highlight the importance of incident reporting and information sharing between law enforcement agencies and the targets of DDoS and extortion attacks," he says.

Europol notes that this operation was made possible too thanks to extensive cross-border collaboration and information sharing. Notably, the operation was led by police in Austria, backed by EC3 and the EU's Joint Cybercrime Action Taskforce - J-CAT - and also featured assistance from law enforcement agencies from Australia, France, Japan, Romania, Switzerland, as well as the U.S. Secret Service and FBI, and Interpol.

"This arrest and other actions demonstrates how powerful effective intelligence sharing can be," says Dublin-based information security consultant Brian Honan, who advises Europol on cybersecurity matters. "I know many victim companies who will smile as they read the news."

Regarding the @EC3Europol action against DD4BC, big kudos to all those victim organisations who worked with LEA to enable police take action

DDoS Rises Again

Alan Woodward, a computer science professor at the University of Surrey in England who also serves as a cybersecurity adviser to Europol, says he cannot comment on the DD4BC arrests. But speaking more generally, "DDoS is back on the agenda," he tells Information Security Media Group. "What astonishes me is that there are a growing number of services for DDoS. It must be one of the fastest growing areas of crime as a service."

Indeed, some recent DDoS attacks - such as the purported use of a service called BangStresser to disrupt the BBC's Web domain on New Year's Eve 2015 - seem to have been launched simply to advertise the underlying DDoS service. Furthermore, this cybercrime-as-a-service ecosystem often disguises related activities by infecting legitimate PCs with malware, to turn them into botnet nodes from which DDoS disruptions, spam campaigns and other attacks get launched (see How Do We Catch Cybercrime Kingpins?).

"Tracking these guys down is really difficult," Woodward says. "The problem is they effectively get others to do their dirty work for them. And being distributed, they co-opt many into such attacks, often without their knowledge."

Stopping DDoS Attacks

Woodward says one high-level way to try and undercut DDoS attacks is to "prevent, persuade or otherwise stop the bulletproof hosters who are often complicit in these attacks," referring to the services that provide hosting and a promise to look the other way, in exchange for their customers paying premium prices (see Hacker Havens: The Rise of Bulletproof Hosting Environments ). Owners of legitimate systems that have been compromised by attackers also "need to make sure they have mechanisms in place to stop such abuse," he says.

A second potential DDoS defense is to "try to prevent IP spoofing," which DDoS attackers often rely on, he says. "The main form of these massive attacks is amplification attacks, which all rely upon spoofing the address from where a request came from, such that the returns all fire at the same system." While there is an Internet Engineering Task Force standard - BCP38 - that would help, "like many things it hasn't really taken off," he says (see Spamhaus DDoS Attack Called Preventable).

Until the above comes to fruition, "as a business your only other hope is to try to get some form of protection from companies like CloudFlare," Woodward says, referring to the DDoS defense firm. He also recommends organizations craft a DDoS incident-response plan - and line up defenses - before they get targeted.

Victims: Keep Coming Forward

Honan also urges victims to keep coming forward, so that police can target DDoS-wielding criminals (see Hackers Wield Extortion). "Hopefully this action will demonstrate to organizations who may fall victim to cybercriminals - be that via ransomware, DDOS extortion, or other criminal actions - that reporting the issue to law enforcement can generate results," he says. "Even if your individual case does not get resolved, the information shared with law enforcement could be a vital piece in the larger jigsaw puzzle that Europol and other law enforcement agencies are putting together to picture the criminals behind these crimes."