Administrators of the world's largest DDoS-as-a-service website webstresser.org were only yesterday reaping the rewards of their illicit enterprise. Today, they are under arrest thanks to the cooperative effort of international law enforcement agencies.
Europol reported the success of Operation Power Off, an investigation led by the Dutch police in combination with the UK's National Crime Agency and a dozen other law enforcement agencies from around the world. As of today, the site has been shut down and its infrastructure has been seized.
DDoS attacks are widely disruptive as they knock services offline. As of April 2018, webstresser.org had 136,000 registered users who successfully orchestrated four million attacks targeting financial and government agencies. Last year, the site was used to launch a series of attacks on UK high street banks – causing hundreds of thousands of pounds of damage.
When once it was sophisticated hackers who were conducting these attacks, the widespread availability and very inexpensive access to these as-a-service attacks allows anyone to purchase and launch an attack that can paralyze the internet.
“The platform criminality model is productizing malware and making cybercrime as easy as shopping online. Not only is it easy to access cybercriminal tools, services and expertise: it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as the web of profit continues to gain momentum," said Gregory Webb, CEO, Bromium.
Recently released academic research, Into the Web of Profit, commissioned by Bromium and carried out by Dr. Mike McGuire, senior lecturer in criminality at Surrey University, found that Crimeware-as-a-Service earns cybercriminals $1.6bn per year, with DDoS-attack hires generating $13m of revenue per year. There are an average of six-and-a-half million DDoS attacks per year.
"It’s a growing problem, and one we take very seriously. Criminals are very good at collaborating, victimizing millions of users in a moment from anywhere in the world. We need to collaborate as good as them with our international partners to turn the table on these criminals and shut down their malicious cyberattacks," said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3).
Though some individuals may only see their involvement as playing around with low-level fringe cybercrime, DDoS attacks are illegal, and perpetrators who conduct the attacks can be charged a hefty fine, receive a prison sentence, or be penalized with a combination of both.