Updated on 9-12-2016 by Jonathan Keane: Israeli police arrest two teens for allegedly running the vDOS DDoS-for-hire service
Israeli news site Haaretz reports that the Israeli national police arrested two teenagers following a tip from the FBI. The two men, Huri and Yarden Bidani, (it has not been clarified if they are related) are under house arrest for 10 days at $10,000 bail. They were also ordered to hand over their passports and are barred from using the internet for 30 days. The vDOS website is now offline.
The vDOS operators are alleged to have carried out hundreds, if not thousands, of DDoS attacks on websites on behalf of customers, earning at least $600,000 in the last two years. However the site had a policy of never attacking Israeli sites to avoid drawing too much attention to itself at home.
A web service that helped customers carry out distributed denial-of-service (DDoS) attacks on unsuspecting victims has been hacked revealing data on the customers that availed of this clandestine service.
According to security journalist Brian Krebs, vDos was hacked recently and he obtained a copy of the leaked data in July. Upon scrutinizing the database, he claims that vDOS is being run by two Israeli cybercriminals under the pseudonyms of P1st or P1st0 and AppleJ4ck, with associates in the United States.
vDOS allegedly offered monthly subscriptions to DDoS attack services, paid in bitcoin or even through PayPal, with the prices based on how long the attack would last. These DDoS attacks would launch fake traffic at victim websites, overwhelming their servers and knocking the sites offline. A particularly strong DDoS attack could cripple a site for days.
“And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years’ worth of attack traffic,” Krebs said in his analysis. He added that he believes vDOS was handling hundreds or even thousands of concurrent attacks a day. Kreb’s analysis is based on data from April to July. Apparently all other attack data going back to the service’s founding in 2012 has been wiped away.
Krebs’ source for info on the hack was allegedly able to exploit a hole in vDOS that allowed him to access its database and configuration files. It also allowed him to source the route of the service’s DDoS attacks to four servers in Bulgaria.
Among the data dump were service complaint tickets where customers could file issues they had with the DDoS attacks they purchased. Interestingly the tickets show that the owners of vDOS declined to carry out attacks on Israeli sites to avoid drawing attention to themselves in their native land.
The duo supposedly made $618,000 according to payments records dating back to 2014 in the data dump.
“vDOS does not currently accept PayPal payments. But for several years until recently it did, and records show the proprietors of the attack service worked assiduously to launder payments for the service through a round-robin chain of PayPal accounts,” Krebs said.
The operators of the DDoS service are believed to have enlisted the help of members from the message board Hackforums in laundering the money.
Krebs warned that services like vDOS are worrisome because they make cybercrime tools available to pretty much anyone willing pay. In some cases, vDOS offered subscriptions as low as $19.99. These sorts of tools, also known as booter services, can be used ethically for testing how your site holds up against large swathes of traffic but in the wrong hands they can be abused and sold very easily.
“The scale of vDOS is certainly stunning, but not its novelty or sophistication,” Ofer Gayer of security firm Imperva said but added that this new widespread attention on DDoS service might stall them for a while.
- Hack affects 2 million T-Mobile customers, unclear if passwords included
- SamSam ransomware has generated $5.9 million from victims since 2015
- Police bust a massive interstate SIM card hijacking ring
- Was your Facebook account hacked in the latest breach? Here’s how to find out
- Network routers with roaming enabled are likely susceptible to a new attack