Stupid hacker tricks, part two: The folly of youth

Tech-savvy delinquents set the Net aflame with boneheaded exploits that earn them the wrong kind of fame

 

When the DDoS ain't stoppin' expect the cops to come knockin'
Perps
Ivan Maksakov, Alexander Petrov, and Denis Stepanov

Status
All three are guests of the Russian penal system, sentenced to eight years at hard labor and a 100,000 ruble fine

Dossier
Looking to make a little extra money while at college in 2003, Ivan Maksakov, then 22, devised an inventive, entrepreneurial scheme that probably sounded good at the time: He created a botnet to engage in DDoS (distributed denial-of-service) attacks and then blackmailed online gambling sites based in the U.K., threatening to take the sites down during major sporting events.

[ Don't think you're a security sieve? Prove it by mastering our Security IQ test ]

However, Maksakov -- a student at the Balakov Institute of Engineering, Technology, and Management -- couldn't anticipate that the Russian government, looking to demonstrate its resolve in dealing with cybercriminals, would make an example of him.

The botnet, based in Houston, was directed to launch DDoS attacks against the U.K.-based bookmaking Web sites and online casinos only if Maksakov's demands weren't met. According to Russian news reports, Maksakov, along with co-conspirators Alexander Petrov and Denis Stepanov, attacked nine Web sites from the fall of 2003 until spring 2004. The sites were initially attacked for a short time, before a ransom demand was e-mailed.

In one example, the attacks crippled a site run by Canbet Sports Bookmakers during the Breeders' Cup horse races, costing the firm $200,000 for each day it was offline. But even when the firm paid a $40,000 ransom to a Western Union account in Riga, Latvia, the attacks continued.

Authorities allege that the attacks for which the trio were convicted cost the U.K.-based Web site operators upward of $4 million, not including an additional $80 million the companies paid out for additional bandwidth and security hardware designed to thwart DDoS attacks. Charges weren't filed for 54 similar attacks the group is alleged to have engaged in, affecting companies in 30 other countries.

Britain's intelligence services tracked the IP address used to send commands to the botnet to Maksakov's home computer. When the British government provided the information to the Russian Federation's Interior Ministry, the three were arrested. Authorities say at least 13 others who have not been arrested were involved in the scheme, including 10 people working as "money mules" in Riga, two other cyberattackers in Kazakhstan, and one more in Russia.

Lessons learned
Russia's a terrible place to base your operations for a criminal enterprise, unless you like taking long vacations in Siberia. Kazakhstan and Latvia seem to be much more agreeable. Also, if someone sends you 40 large, don't wait: Turn off the damn DDoS before MI-5 gets involved.

[ Stupid juvy hacker home | Stupid juvy hacker trick No. 3: Punked over a prank ]