Recent changes in the cyberthreat landscape, especially high yield cybercrimes such as Ransomware and other crimes of extortion, are creating a logical (crime) environment for the creation of a more sustainable mafia-type hierarchical model of organised crime which specifically seeks to protect offenders, invest proceeds to increase wealth, power and influence and ultimately their sustainability. We believe that there is currently little evidence of such phenomena, but their emergence may only a matter of time.
To understand the organisation of crime groups online we will look at booter services, or stressers – as they are commonly known. They are a key enabler of DDoS (Distributed Denial of Service) attacks which are currently proliferating. Stressers are semi-legal IT services, which, for a fee, enable their clients to mobilise DDoS attacks to conduct legitimate penetration tests of computer systems (if there is consent) to improve their security, but in so doing, can also be used to facilitate more malicious attacks.
Some recent powerful DDoS attacks (of terabyte proportions) attributed to stressers have been motivated by the economic potential for financial gain, but also by the political opportunities they offer to damage or disrupt, over and over again. This observation raises interesting questions about whether or not DDoS attacks are a new tactic of existing organised offending online, or whether they indicate the existence of new forms of online crime group. More importantly, does the organisation of online crime services, using online brokers to help clients deliver DDoS, indicate the presence of new forms of ‘mafia’, whose hallmark is to repeatedly extort and accumulate wealth and power from the proceeds of their crimes.
In order to understand the nature of the stresser (booter service) as crimeware-as-a-service, we analyse a case study of a stresser called StressSquadZ (a pseudonym) that had been taken down by policing agencies and shared with us by DutchSec intelligence. We analysed this anonymised data to observe the network of payments and interactions between users and the service. The analysis shows how users start by buying trials and some move on to purchase premium services (green, orange and yellow links), which are a pathway into more expensive services and more powerful attacks.
The marketing and subscription plans to join the service were found to range from an introductory trial to a VIP bespoke service and the data indicated much about the product and also client differentiation, especially the provider’s high level of drive to maximise profit and the ‘clients’ desire to minimise payments.
The communications data (see Fig 1) showed the spread of low impact trail plans purchased by the wider community of low-skill users, which constitute two fifths of the total users. Most of these client/ users seem to be driven by curiosity and transgression, rather than pure criminal intent to make direct gains. The data also showed how a smaller number of ‘clients’ had more serious and higher impact intentions and indicated the nature of those intentions. As stated earlier, while stressers can potentially be used for legal (consensual) purposes to test the strength and resilience of security systems, we found that their main use was clearly as an ‘attack’ vehicle without the consent of the website owner. Since this constitutes a crime under computer misuse legislation in most jurisdictions, then the stresser service providers are effectively, and legally, a new form of organised crime grouping online.
In the case of StressSquadZ, there a range of different clients/ users. First, were the ingenue (‘amateurs’ and ‘wannabes’) who were mainly users who bought the service out of curiosity to try it out, often after becoming interested it following discussions in online chat forums. These, we argue, were not seriously minded offenders and probably regarded the use of the booter service use either as a hobby or to improve their own computing skills (i.e. script-kiddies).
These ingénue contrasted with a second group who acted like more serious offenders, called ‘commercial offenders’ for want of a better description, they knew exactly which kind of service they were after, perhaps because of previous experience and/or their advanced skills. They understood exactly how a stresser service works and what they could use it for and they were clearly shopping for the best buy. Once they had tried it out under the trial scheme and were happy with it, they tended to upgrade to the VIP service. StressSquadZ, was of course, only one of a number of different types of online crime groups that constitute the organisation of cybercrimes online, but indications do suggest they were fairly typical of the genre.
So, in conclusion, the findings of our research are not as dramatic as the cultural hype surrounding stories of organised crime would suggest. The StressSquadZ’s practices more resembled those of a big online retailer rather than a Mafia-type organised crime operation. Their main drive appeared to be to balance maximising their profits (proceeds of crime) with minimising their operating risks, e.g., by not entering into high risk operations that attract the attention of law enforcement agencies. We found that, not only do online offenders act in very predictable ways, e.g. exploiting the laws of supply and demand, to provide services to offenders, but the organisation and operation of this particular booter service was limited to DDoS operations. We found no evidence, at this stage, of any involvement with any broader organised crime group which might seek to use it, protect it or even take it over. This lack of collusion is especially significant because stressers can be used to commit significant upstream crimes such as data theft and data disruption which facilitate much more criminal activity downstream, so the next stage of our research is to look at the downstream aspects of DDoS, at the motivations of the users of stresser services.
Note: This article is based on Musotto, R. and Wall, D.S. (2018) Are Booter Services (Stressers) indicative of a new form of organised crime group online? Proceedings of the UNODC Linking Organized Crime and Cybercrime Conference, School of Global Studies, Hallym University, Chucheon, South Korea, 7-8 June 2018.
Authors: Roberto Musotto and David Wall, University of Leeds