Network News

X My Profile
View More Activity

The Threat of Reputation-Based Attacks

CastleCops.com is accustomed to being attacked by online crooks: The volunteer-led cybercrime-fighting group has endured nearly a month long siege by thousands of criminally-controlled PCs aimed at crippling its Web site. So when the latest attack failed to prevent legitimate users from visiting the site, the bad guys unveiled an unlikely secret weapon: bogus donations.

The unauthorized contributions all came in via PayPal, the online payment service owned by eBay. Some were sent via PayPal accounts that attackers had hijacked in phishing scams; others were submitted through PayPal's e-check option using compromised checking account numbers. A few donations were for as little as $1, while other fake donations ranged as high as $2,800.

To the victims of the stolen PayPal accounts, it looks as if CastleCops is the one stealing their money, when in reality, it's the attackers. Also, the fraudulent activity seeks to ruin their relationship with PayPal.

This attempt to smear the good name of a legitimate organization by tainting them with the stain of illegal activity - known as a "reputation attack" - came after more than three weeks of sustained distributed denial-of-service (DDoS) attacks against CastleCops.com. So-called DDoS attacks direct the Web traffic of thousands of "bots - compromised PCs that when grouped together are called "botnets" -- at a targeted site, with the aim of rendering it unreachable.

CastleCops is working with PayPal and the FBI to try to stem the fraudulent donations. So far, the organization has refunded 37 unauthorized contributions, but many more are still pending. Meanwhile, even more unwanted gifts keep rolling in.

CastleCops has been under fairly consistent DDoS attacks since early this year. The group's volunteers work with Internet service providers and other industry partners to combat a variety of criminal enterprises, from phishing schemes to spam to malicious software hosted on hacked Web sites or home computers. Many of those same partners have also stepped forward to help the group fend off the DDoS attacks.

When it became clear to attackers that this most recent frontal assault was no longer working, they changed their tactics, said CastleCops co-founder Paul Laudanski.

"Clearly someone's got it in for us and has been paying someone to try and take us out, but we're bringing discredit on the botnet masters because they're not succeeding," Laudanski said.

You know you've succeeded in angering some deep-pocketed criminals when they start burning stolen PayPal accounts by the dozen after botnet-for-hire attacks fail to work. One criminal organization that CastleCops has been particularly effective against - known as the Rock Group - stole more than $150 million worth of consumer data last year in phishing attacks, according to security giant Verisign.

CastleCops may have weathered the attack expertly so far, but not every group that accepts donations has the same kind of strong connections with the people at eBay's fraud department. My suspicion is that this same assault against any other organization might have succeeded, at least temporarily. I say that because eBay often places a hold on PayPal accounts that are involved in fraud disputes, and many volunteer organizations probably are more attuned to counting their donations and making ends meet than looking for patterns of suspicious activity.

"The only reason I noticed these fraudulent donations was because [the receipts for PayPal donations] get sent to an e-mail address that we regularly use," said Robin Laudanski, the other co-founder of CastleCops.

The group received a number of nasty e-mails from people whose accounts and financial information were used in the reputation attack. One irate victim threatened Paul in an e-mail, calling him "a marked man."

"He said 'I hope you end up in the pokey getting poked a lot'," Paul said.

Still, at least one guy whose PayPal account was used to fraudulently donate to CastleCops was ultimately thankful for the refund. Only, his account had been used to donate just one dollar. No word yet on whether he's grateful enough to respond with a real donation.

By Brian Krebs  |  September 18, 2007; 10:00 AM ET
Categories:  Fraud , From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Report: Four Percent of E-Crime From Fortune 100
Next: Firefox Update Fixes Apple QuickTime Flaw

Comments

Great article BK. Will you ever be doing another long story about botnet owners/scammers, like the one from about a yaer ago?

Posted by: CW | September 18, 2007 11:06 AM | Report abuse

Thanks Brian.

Heads up to readers, CastleCops is currently down due to a hardware failure, we should be back online shortly. And yes the DDoS continues.

Posted by: Paul Laudanski | September 18, 2007 12:01 PM | Report abuse

BK, I like this story a lot. CW asks a good question about another story on BotNets. An interesting perspective to take on this would be to look at the fact that ISPs could EASILY become more involved in helping to IDENTIFY/STOP botnets, but they just don't. Rather than just reporting they exist and can be used for nasty reasons... I think you should report on methods to stop them and what corporations and ISPs can do to prevent such happenings. Systems can be locked down (one layer of the onion), but another layer can be to place IDS solutions that prevent such happenings via "reaction techniques".

Posted by: R1no | September 18, 2007 12:03 PM | Report abuse

Seems like a pretty dumb strategy on the attackers' part, given that each attack will disclose their unauthorized access to a Paypal account for a small gain. Meanwhile, all CastleCops has to do in the short term is stop accepting Paypal donations for a while.

Posted by: antibozo | September 18, 2007 12:42 PM | Report abuse

I am sure if paypal transactions are stopped, that the attackers will resort to other ideas (that I won't list here)... Giving up a paypal account isn't a big deal, if you think about it. There are TONS of accounts and credit card numbers out there. Giving up a few to hurt a company that exists to stop what you are doing... is probably worth while. They can always get more accounts. I'd love to help out CastleCops. Any chance you guys would like some help? If for nothing else, but to brainstorm future avenues of attack they may use against CastleCops. Its a specialty of mine.

Posted by: R1no | September 18, 2007 1:02 PM | Report abuse

The same happened to us. We are a target of the exact same DDoS attack as well as the fraudulent transactions being made to our paypal donations account.
It's a real PITA, to say the least.

Posted by: aa419.org | September 18, 2007 1:14 PM | Report abuse

this suck alot

Posted by: Anonymous | September 18, 2007 2:01 PM | Report abuse

I have an idea on how ISP's could become more active in preventing these types of attacks.

Each ISP has an allocated block of IP addresses which are publicly available via WHOIS lookups. With each ISP record an abuse email address is available, if botnet activity is found and tracked to a specific block of IP addresses the abuse email acquired through WHOIS lookups could be used to notify the administrator(s) which in turn could essentially block the infected machine until the botnet operators software could be removed.

I actually have a perl script that could do this automatically. Just a thought.

Posted by: jas | September 18, 2007 2:09 PM | Report abuse

i think that money is effecting how gorge w bush lives. he lives like a big fat pig

Posted by: arturo | September 18, 2007 2:14 PM | Report abuse

Castlecops rocks. Scammers beware.

Whatcha gonna do...
...when Castlecops come for you...

Bot boys, bad boys
Whatcha gonna do...

Posted by: Anonymous | September 18, 2007 2:26 PM | Report abuse

I believe the attacks on Castecops is not originating from simply spammers or cyber criminals.

I believe the attacks are coming from Muslim Extremist who are using the proceeds of crime to send money in support of Jihad, al Qaida and the Taliban. All done in the name of the false prophet Mohamed in some warped sense of religious indignation.

Otherwise it is simply some 13 year old pimply faced little mommas boy who has no real life.

Then again it could be a 13 year old basement dwelling Jihadist who doesn't have a real life because the adult Jihadist won't trust him with a gun or a bomb equipped car to blow himself up with

Posted by: Christine Siedsra | September 18, 2007 2:32 PM | Report abuse

Christine, its brilliant to think that its a terrorist organization reference But it's already noted that the FBI is involved. Technically, the only ones with these kind of resources would be. Governments, Terror based organizations( think if you send millions of fraudulent dollars somewhere else you can deflect attention off of where you are really sending it.) My guess is that Castlecops got too close to one of these organizations details and caused them to resort to such tactics as to force them to expend more resources on this and not on something else they were working on.

Posted by: Anonymous | September 18, 2007 3:54 PM | Report abuse

I hope to read in your article, in the near future, about these spammers going to jail and paying humongous fines.
What would really be great: If they had to face a judge who has been caught up in a spam! :)

Posted by: Anonymous | September 18, 2007 5:05 PM | Report abuse

My hope is that Law Enforcement start paying attention and devote more resources to fighting cybercrime before another 911 take place.

Posted by: ScamFraudAlert | September 18, 2007 5:18 PM | Report abuse

I echo the comment : Great article, Brian.

Posted by: csavargo13 | September 18, 2007 7:16 PM | Report abuse

I'm amazed that PayPal didn't immediately "freeze" CastleCop's PayPal account.

PayPal freezes accounts - in some cases full of legitimately earned money - of completely innocent users on trumped up charges on a daily basis.

You really need to do a column - or a series of columns - on how PayPal operates. I suggest you visit paypalsucks.com for ideas.

The irony of any column about cyber crooks overlooking the behavior of PayPal here is simply too much.

Posted by: Lily | September 19, 2007 12:34 AM | Report abuse

I agree with Christine Siedsra. Mostly. Except I have incontrovertible evidence it's actually an ultra right wing creationist Bush/Rove supported movement to make liberals and other weaklings /think/ it's 13yo basement dwelling jihadists. And it almost worked too.

Posted by: Rick | September 19, 2007 11:08 AM | Report abuse

The reason to not 'freeze' the CastleCop's account is because the stolen accounts are self-reporting themselves as stolen, which provides the information to shut them down, as well as to hopefully better trace their original method of theft, and thus, find these crooks.

Given that they've done a good job in ticking off a criminal with quite respectable resources, let's hope that the governmental authorities can track things to ground and terminate this operation with extreme prejudice, regardless of what country the scoundrels are hiding in.

Posted by: . | September 20, 2007 5:11 PM | Report abuse

After baiting Nigerian scammers in nearly every place that is known to me (especially on eBay), I am not surprised to see Internet criminals such as the ones who attacked CastleCops stoop so low as to attack their finances in general.

I once came in contact with a guy from NYC who lost a six-figure sum to the scammer. I was able to contact him because I was baiting his scammer at the same time and the scammer was dumb enough to email me and CC: the victim. Granted, the victim is an 86 y/o retired investment banker, Harvard and Yale educated, and earns about $230k+ a month in retirement income, so it wasn't a big loss to him. The part about this victim is that the scammer wanted the victim to sell his bed-ridden wife's specialized life-preserving medications and send the proceeds to Nigeria for so-called "oil investments and bribe payoffs".

Nothing about Internet criminals now surprises me.

Posted by: ikuomanero | September 20, 2007 8:14 PM | Report abuse

Great article Brian. We really need to stop these attacks. I read recently that as many as 150 million bot-infected computers around the world and the FBI projects that the cybercrime as a result of bothnets will costs businesses up to $67 billion a year.

I just read an article in which security executives from FireEye are advocating that botnets be reclassified and no longer be just a subset of the overall malware category. Fireeye is botnet company and came out with products today that combines global analysis AND solutions.

Dimes to dollars, these smaller companies are going to be the ones to block these bots. The bigger guys are too slow and don't focus on bots with the same critical eye as the smaller players.


Posted by: securitymaven | September 24, 2007 2:08 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company