In a series of blog posts, we’ve highlighted the emergence of easy to use, publicly obtainable, cracked or leaked, DIY (Do It Yourself) DDoS (Distributed Denial of Service) attack tools. These services empower novice cybercriminals with easy to use tools, enabling them to monetize in the form of ‘vendor’ type propositions for DDoS for hire services. Not surprisingly, we continue to observe the growth of this emerging (international) market segment, with its participants continuing to professionalize, while pitching their services to virtually anyone who’s willing to pay for them. However, among the most common differences between the international underground marketplace and, for instance, the Russian/Easter European one, remain the OPSEC (Operational Security) applied — if any — by the market participants knowingly or unknowingly realizing its potential as key differentiation factor for their own market propositions.
Case in point, yet another newly launched DDoS for hire service, that despite the fact that it’s pitching itself as anonymity and privacy aware, is failing to differentiate its unique value proposition (UVP) in terms of OPSEC.
Sample screenshot of the landing page:
Let’s discuss the (business) interaction that most commonly takes place between a buyer and seller of such type of services. On the majority of occasions, thanks to the fact that the vendor seeks to efficiently supply what the market demands, basic OPSEC rules, ones sometimes visible in Russian/Eastern European providers, are ignored. For instance, the service we’re discussing in this post not only has its site publicly searchable, it also features a YouTube advertisement. Combined with the fact that it’s also soliciting customer inquiries through a GMail account — no public PGP key offered — results in a situation where a potential customer would think twice before contacting the vendor. Moreover, these (international) underground market propositions usually tend to acquire less technically sophisticated customers who’d often seek their assistance in taking down a gaming server, or not surprisingly, launch a Denial of Service attack against a “friend’s” Internet connection. In comparison, the Russian/Eastern European vendors would usually prefer to stay beneath the radar, and will vet potential customers based on multiple factors — that includes the actual target — before launching an attack on their behalf.
Not surprisingly, we’re also aware of several malicious MD5s that are known to have been downloaded from the same IP that’s known to have once responded to the service’s domain:
We expect to continue observing an increase in such types of ‘DDoS for hire’ propositions, largely thanks to the ease of obtaining the necessary tools required to convert a botnet into a vendor-oriented type of underground market service, and will continue to monitor this market segment.