The Threat of Reputation-Based Attacks
CastleCops.com is accustomed to being attacked by online crooks: The volunteer-led cybercrime-fighting group has endured nearly a month long siege by thousands of criminally-controlled PCs aimed at crippling its Web site. So when the latest attack failed to prevent legitimate users from visiting the site, the bad guys unveiled an unlikely secret weapon: bogus donations.
The unauthorized contributions all came in via PayPal, the online payment service owned by eBay. Some were sent via PayPal accounts that attackers had hijacked in phishing scams; others were submitted through PayPal's e-check option using compromised checking account numbers. A few donations were for as little as $1, while other fake donations ranged as high as $2,800.
To the victims of the stolen PayPal accounts, it looks as if CastleCops is the one stealing their money, when in reality, it's the attackers. Also, the fraudulent activity seeks to ruin their relationship with PayPal.
This attempt to smear the good name of a legitimate organization by tainting them with the stain of illegal activity - known as a "reputation attack" - came after more than three weeks of sustained distributed denial-of-service (DDoS) attacks against CastleCops.com. So-called DDoS attacks direct the Web traffic of thousands of "bots - compromised PCs that when grouped together are called "botnets" -- at a targeted site, with the aim of rendering it unreachable.
CastleCops is working with PayPal and the FBI to try to stem the fraudulent donations. So far, the organization has refunded 37 unauthorized contributions, but many more are still pending. Meanwhile, even more unwanted gifts keep rolling in.
CastleCops has been under fairly consistent DDoS attacks since early this year. The group's volunteers work with Internet service providers and other industry partners to combat a variety of criminal enterprises, from phishing schemes to spam to malicious software hosted on hacked Web sites or home computers. Many of those same partners have also stepped forward to help the group fend off the DDoS attacks.
When it became clear to attackers that this most recent frontal assault was no longer working, they changed their tactics, said CastleCops co-founder Paul Laudanski.
"Clearly someone's got it in for us and has been paying someone to try and take us out, but we're bringing discredit on the botnet masters because they're not succeeding," Laudanski said.
You know you've succeeded in angering some deep-pocketed criminals when they start burning stolen PayPal accounts by the dozen after botnet-for-hire attacks fail to work. One criminal organization that CastleCops has been particularly effective against - known as the Rock Group - stole more than $150 million worth of consumer data last year in phishing attacks, according to security giant Verisign.
CastleCops may have weathered the attack expertly so far, but not every group that accepts donations has the same kind of strong connections with the people at eBay's fraud department. My suspicion is that this same assault against any other organization might have succeeded, at least temporarily. I say that because eBay often places a hold on PayPal accounts that are involved in fraud disputes, and many volunteer organizations probably are more attuned to counting their donations and making ends meet than looking for patterns of suspicious activity.
"The only reason I noticed these fraudulent donations was because [the receipts for PayPal donations] get sent to an e-mail address that we regularly use," said Robin Laudanski, the other co-founder of CastleCops.
The group received a number of nasty e-mails from people whose accounts and financial information were used in the reputation attack. One irate victim threatened Paul in an e-mail, calling him "a marked man."
"He said 'I hope you end up in the pokey getting poked a lot'," Paul said.
Still, at least one guy whose PayPal account was used to fraudulently donate to CastleCops was ultimately thankful for the refund. Only, his account had been used to donate just one dollar. No word yet on whether he's grateful enough to respond with a real donation.
September 18, 2007; 10:00 AM ET
Categories: Fraud , From the Bunker
Save & Share: Previous: Report: Four Percent of E-Crime From Fortune 100
Next: Firefox Update Fixes Apple QuickTime Flaw
Posted by: CW | September 18, 2007 11:06 AM | Report abuse
Posted by: Paul Laudanski | September 18, 2007 12:01 PM | Report abuse
Posted by: R1no | September 18, 2007 12:03 PM | Report abuse
Posted by: antibozo | September 18, 2007 12:42 PM | Report abuse
Posted by: R1no | September 18, 2007 1:02 PM | Report abuse
Posted by: aa419.org | September 18, 2007 1:14 PM | Report abuse
Posted by: Anonymous | September 18, 2007 2:01 PM | Report abuse
Posted by: jas | September 18, 2007 2:09 PM | Report abuse
Posted by: arturo | September 18, 2007 2:14 PM | Report abuse
Posted by: Anonymous | September 18, 2007 2:26 PM | Report abuse
Posted by: Christine Siedsra | September 18, 2007 2:32 PM | Report abuse
Posted by: Anonymous | September 18, 2007 3:54 PM | Report abuse
Posted by: Anonymous | September 18, 2007 5:05 PM | Report abuse
Posted by: ScamFraudAlert | September 18, 2007 5:18 PM | Report abuse
Posted by: csavargo13 | September 18, 2007 7:16 PM | Report abuse
Posted by: Lily | September 19, 2007 12:34 AM | Report abuse
Posted by: Rick | September 19, 2007 11:08 AM | Report abuse
Posted by: . | September 20, 2007 5:11 PM | Report abuse
Posted by: ikuomanero | September 20, 2007 8:14 PM | Report abuse
Posted by: securitymaven | September 24, 2007 2:08 PM | Report abuse
The comments to this entry are closed.