In a co-ordinated operation involving police in 11 countries, including the United States, the world’s largest online attack-for-hire service, WebStresser.org – behind at least four million cyber attacks in the past three years – has been shut down and its infrastructure seized.
The complexity of the international response, wry ly named “Operation Power Off”, is an illustration of the huge level of physical and virtual expertise required to take down a website believed to have been set up and run by a 19-year-old Serbian hacker who goes by the nickname “mirk”.
WebStresser.org had an extraordinary 136,000 registered users when it was taken offline, and had been responsible since 2015 for distributed denial-of-service (DDoS) attacks on governments, police services, banks, and businesses of all sizes – causing chaos and frequently huge financial losses.
Ever conscious of the demands of the marketplace, WebStresser even launched a mobile phone app so that clients could launch attacks while away from their PCs
But what finally focused the authorities’ attention on WebStresser was not that it had grown from a minnow to a global shark in three years – but that it was now offering special low-cost deals: allowing customers to sign up to a payment plan for the attacks, for as little as €15 a month.
Hijacked web traffic
DDoS attacks direct huge amounts of hijacked traffic at a website or online platform, eating up the target’s bandwidth or overwhelming its server so that it slows down, becomes unusable, or is knocked offline – depriving users, such as a bank’s customers, for instance, of essential services.
A few years ago, launching a DDoS attack required an attacker well versed in internet technology. However, sites such as WebStresser changed all that, allowing criminals to purchase mercenary attack “packages” and to pay anonymously online, typically using cryptocurrencies such as Bitcoin.
Believe it or not, the monthly fee could buy the “client” a specified number of attacks, to be launched at the time of their choosing, along with “24x7 email support”, presumably to communicate along the way with the target.
Ever conscious of the demands of the marketplace, WebStresser even launched a mobile phone app so that clients could launch attacks while away from their PCs.
Free hacking
It was also very active on Facebook, inviting users to post positive reviews on YouTube – for which the most glowing were rewarded with a month’s free hacking.
What WebStresser had realised was that while most criminals didn’t know the first thing about launching a DDoS attack themselves, many saw it as the way of the future, and so were willing to hire the expertise. ‘It’s a serious growth industry’, observe tech experts, iboss.
The good news is that the seizure of WebStresser means as many as eight online 'resellers' of its services have also disappeared
“Operation Power Off” was led by the Dutch police and the UK’s National Crime Agency, and co-ordinated internationally – in the US, the UK, the Netherlands, Germany, Italy, Spain, Croatia, Serbia, Canada, Australia and Hong Kong – by the European policing agency, Europol, in The Hague.
First, the “administrators” of the service were arrested in the UK, Canada, Croatia, and Serbia. Its servers were seized in the US, Germany, and the Netherlands. And further unspecified “measures” were taken against the busiest users of the service – who were located in Australia, Canada, Hong Kong, the UK, the Netherlands, Italy, Spain and Croatia.
A visitor to WebStresser.org is now greeted by a message saying the site and its domain name have been “seized” on foot of a warrant issued by the US District Court.
‘Resellers’
The good news is that the seizure of WebStresser means as many as eight online “resellers” of its services have also disappeared. The bad news is that this won’t last long in the virtual world.
Not many remember now-defunct vDOS, which was the most popular attack-for-hire service on the international market – used to launch attacks on Amazon, Vodafone, BT, the BBC and others – until the Israelis arrested its two 18-year-old founders in 2016.
The power may have been turned off to WebStresser.org, but the underworld of teenage hackers is most probably inexhaustible.