Brian Krebs now shares the details of his research which pointed to the guys running such infamous DDoS services as Booter.tw, AsylumStresser, and Rage Booter.I decided this whole experience getting hit with a kinetic and a cyber attack at the same time is just too good not to write about. I started asking around about what might have been responsible for the DDoS, and it turns out that the booter site that was used in this attack – and Lance is going to talk a little more about this in a bit – Booter.tw, just had its SQL database hacked (see right-hand image). And whoever did it – I don’t really know, but I’m eternally grateful – basically put it on the booter’s own site for download from there; which I though was wonderful, so I included the link to that in my story. But the database showed that the same account at this booter service that was used to attack my site actually was used to knock Ars Technica offline for about an hour. My buddy Dan Goodin at Ars Technica had called me after I tweeted about the SWAT. I’m like: “I just got swatted…” He goes: “Wtf?!” So I did some digging on who was responsible for calling the SWAT to my house, and that led to a 20-year-old kid in Milford, Connecticut (see left-hand image). He used a nickname ‘phobia’. This kid denied doing my SWAT, but strangely enough, he admitted to being the guy that hijacked the iCloud account of Mat Honan at Wired.com. I’ll come back to that in a few minutes at the end of my talk, but if you haven’t read this story it’s epic. I know this guy’s name, his dad gets on the phone and he goes: “Hey, my son didn’t say he hacked Mat Honan’s account. He said he knew Mat Honan.” Anyway, after spotlighting what was going on with Booter.tw I started taking a harder look at the booters that were popping up on Hack Forums. And it wasn’t hard to learn, for example, that one booter that had thousands of paying customers was the AsylumStresser.com (see right-hand image). And somehow in the course of my reporting on this guy, the database for AsylumStresser got leaked as well. Not really sure how that happened. It pointed to the owner as a 17-year-old kid Honor Roll student from Chicago. And the database (see left-hand image) showed that AsylumStresser had more than 30,000 paying customers, registered users; and that it brought in more than $34,000 in subscription payments via PayPal. This kid set up his business very much like legitimate cybercrime business. That doesn’t make any sense. He basically had paid a bunch of guys at bulletproof hosting providers in Romania to power most of his service. Asylum, like most of the booters, markets itself, as I said earlier, like a stress testing service – nobody’s going to attack anything but their own site, right? But all of these booter services include all kinds of ancillary add-on services that let you discover the IP address of people or websites that don’t want to be found. And they all have these disclaimers, like “Hey, this has all been vetted by our lawyers, and we’re not responsible for what you do with our service.” The next booter that I looked at was Rage Booter. This is by far the most interesting and entertaining one I looked at. The guy who runs it is a young stoner kid from Memphis. His name is Justin Poland. Again, he’s a big time Hack Forums user. I think he’s kind of an idiot – he was not hard to find. So, he’s on Facebook (see left-hand image), and I’m like: “This is kinda cool; I’m just gonna go ahead and chat this guy up and see if he’ll talk to me if I friend him.” And he did! So we’re chatting on Facebook and I’m reading his post that he’s putting up. He, by his own admission, smokes pretty much all of his income from the booter service, something like $1200 worth of weed a week. I don’t even know how it’s possible to smoke that much weed. He’s seriously devoted to his site. As you can see from this Facebook picture (see right-hand image), he got it tattooed on the back of him. Tl;dr. Rage Booter’s database also gets popped – again, I’m not really sure how that happened. So I start chatting him up (see left-hand image) and I’m like: “Hey Justin, tell me more about your business.” And he’s like: “Oh, look, my service is vetted by lawyers, and everybody’s okay. And by the way, if you have any doubts about the legality of my service, I work at the FBI once a week; I go to the Memphis field office and work at the FBI once a week.” He also said they let him keep his site up as long as he gave them backdoor access to his site. At first I was skeptical, so I came back to him and I said: “Hey Justin, I called the Memphis FBI office and they said they didn’t know anything about you, they don’t know Justin Poland and they have no idea what I’m talking about. Maybe you could give me the name and the number of your handler?” And he did, as you can see here. He said: “Oh, it’s Agent Lies.” And I thought, oh God, seriously – this guy is named Agent Lies? Bullshit. So I call him up and ‘Agent Lies’ doesn’t want to say who he is, he doesn’t want to confirm or anything like that, but he says: “You need to talk to the guy in charge of the media relations at the Memphis field office. It’s this guy, here’s his number,” and then he hangs up. And two minutes later Justin goes: “I have been asked to block you. Have a nice day.” That’s it. Anyway, I did a little research afterwards because I thought this ‘Agent Lies’ was too much. But it turns out there is a special agent Lies in the Memphis field office (see left-hand image) and he does a lot of cyber cases, so maybe the guy was telling the truth, I really don’t know.
Read previous: Spy-jacking the Booters 2: Swatting as a Retaliation