DDoS Website ‘Ringleaders’ Arrested In Israel

Two Israeli teenagers have been arrested following a report identifying them as the operators of vDOS, a service thought to have been behind much of the distributed denial-of-service attacks on websites over the past few years.

Itay Huri and Yarden Bidani, both 18, were arrested by Israeli police on Thursday at the request of the FBI, according to local media reports.

House arrest

They were questioned and released under house arrest for 10 days on a bond of 30,000 shekels (£6,000) each, reports said. Their passports were reportedly seized and they were barred from using the internet or other telecommunications equipment for 30 days.

Huri and Bidani were named in a report published by investigative journalist Brian Krebs as the operators of vDOS, which has carried out a large number of DDoS attacks on various websites since 2012, as well as supplying attack capabilities to third-party resellers such as PoodleStresser.

Services such as vDOS claim their offerings are legal, since they can be used by sites to load-test their own infrastructure.

vDOS has, however, been directly linked to a number of malicious attacks, in some cases sending emails to targets to claim responsibility, according to Krebs.

Last week he published log files giving detailed records on vDOS’ targets from April to July of this year, indicating that the majority were commercial websites.

Profits

Krebs noted the proprietors earned at least $600,000 (£452,000) from selling attack services during the past two years, and are likely to have earned more than $1 million since the service went online in 2012, when the suspects would have been only 14 years old.

The log files and other documents were obtained by an unnamed individual who initially hacked into another attack service called PoodleStresser.

This individual downloaded PoodleStresser’s configuration files, finding the service relied entirely on capacity supplied by vDOS.

Krebs explained that the individual then hacked directly into vDOS, downloading all of its databases and configuration files, and uncovering the Internet addresses of its command servers, which had been masked by load balancing service CloudFlare.

The leaked files showed that vDOS’ customer service website was linked to Israeli mobile phone numbers registered to Huri and Bidani.

Identification

Other data uncovered in the hack, such as website registration information, also linked vDOS to the two men.

Once the link was known, other links between Huri and Bidani and the attack service became easy to recognise, Krebs said. For instance, on Bidani’s Facebook page users often discussed DDoS attacks and referred to Bidani by an alias he used on hacker forums to sell vDOS’ services.

vDOS is the longest-running DDoS attack service advertising on hacker site Hackforums, and appears to be by far the most profitable.

According to Krebs, logs show it provided 8.81 years’ worth of attack time during the period between April and July 2016.

In spite of its prominence the service remained relatively unknown to security researchers until the report’s disclosures due to the fact that it resold capacity through other services and concealed the location of its servers.

That anonymity meant that vDOS was able to accept payments with few safeguards, accepting PayPal payments for several years and even credit card payments for a time.

Money laundering

The leaked files list $618,000 in earnings dating from 2014 to July 2016, when Krebs received the files. Financial records from 2012 to 2014, as well as attack logs prior to April 2016, appeared to have been deleted. vDOS laundered its income through a chain of PayPal accounts and through PayPal users in the US.

“The extent to which the proprietors of vDOS went to launder profits from the service and to obfuscate their activities clearly indicate they knew that the majority of their users were using the service to knock others offline,” explained Krebs.

vDOS refused requests to launch attacks on sites in Israel, much as computer criminals based in Russia often decline to launch attacks there, in order to avoid the risk of scrutiny by local law enforcement.

The FBI has yet to respond to a request for comment.

The low cost of purchasing DDoS attack capacity – vDOS sold subscriptions for $30 a month – means that websites of all sizes are commonly subject to attacks that can take them offline unless they subscribe to a load balancing service.

A study published last month found that the UK was the second most-hit by such attacks after the US, with attacks on UK businesses rising more than 200 percent over the past year.

Are you a security pro? Try our quiz!