DDoS Protection , Security Operations

UK Police Detail DDoS-for-Hire Arrests

Four Teenagers Charged With Using 'Lizard Stresser' Service
UK Police Detail DDoS-for-Hire Arrests

British police have arrested four teenagers on charges that they used "Lizard Stresser," a distributed denial-of-service tool, to disrupt multiple websites.

See Also: Good vs Bad Bots: Can You Spot Them?

The DDoS tool is marketed by Lizard Squad, a gang of hackers that has been tied to numerous attacks and disruptions, including the February hack of the Lenovo website, as well as the 2014 Christmas Day disruption of the Sony PlayStation and Microsoft Xbox Live networks.

The U.K.'s National Crime Agency announced on Aug. 28 that it arrested four males - two 18-year-olds olds, plus a a 15-year-old and 16-year-old.

"Those arrested are suspected of maliciously deploying Lizard Stresser, having bought the tool using alternative payment services such as Bitcoin in a bid to remain anonymous," the NCA says. "Organizations believed to have been targeted by the suspects include a leading national newspaper, a school, gaming companies and a number of online retailers."

Officials say that none of the arrested individuals are suspected of being members of Lizard Squad or of participating in the group's Christmas Day 2014 disruption. They also note that the DDoS service, like many other DDoS-for-hire services, offers inexpensive rates, and can have a devastating effect on targeted organizations. "By paying a comparatively small fee, tools like Lizard Stresser can cripple businesses financially and deprive people of access to important information and public services," says Tony Adams, head of investigations at the NCA's National Cyber Crime Unit.

This investigation was code-named "Operation Vivarium," referring to a container used for keeping plants or animals, such as lizards, for study.

Police say that as part of Operation Vivarium, they're visiting about 50 other individuals in the U.K. who have signed up on the Lizard Stresser site, but who do not appear to have used the service. Police say that about one-third of those individuals appear to be younger than age 20. "One of our key priorities is to engage with those on the fringes of cyber criminality, to help them understand the consequences of cybercrime and how they can channel their abilities into productive and lucrative legitimate careers," Adams says.

"'Crime as a service' where attackers pay others for tools and services is becoming a significant factor in cybercrime. Whilst many think of denial of service attacks as being trivial, they are costing organizations great deal through the disruption they cause," says Alan Woodward, a computer science visiting professor at the University of Surrey and cybersecurity advisor to the association of European police agencies known as Europol. Accordingly, police have been focusing not just on people who commit online crimes, but those who help others to do so as well (see How Do We Catch Cybercrime Kingpins?). "You can expect to see more of this in the future, and those who might be tempted to provide such services should perhaps learn that law enforcement agencies are patient but determined to tackle those who are actively enabling cybercrime in all its forms," he says.

Follows Related Arrests

Earlier this year, U.K. police arrested two other teenagers on charges that they used the Lizard Stresser service. They also arrested a suspected member of Lizard Squad (see U.K. Police Arrest 57 Alleged Hackers).

In July, another alleged Lizard Squad member, a 17-year-old Finn named Julius Kivimaki - a.k.a. "Zeekill," "Ryan" - was found guilty of 50,700 "instances of aggravated computer break-ins," but given a two-year suspended sentence, meaning he will spend no time in jail, so long as he honors the terms of his court agreement. He must submit to two years of electronic monitoring of his online activities, has had his PC confiscated, and he has been ordered to forfeit ‚¬6,588 ($7,276) worth of property obtained through his crimes. The suspended sentence is due to Finland's child protection act specifying that anyone under the age of 18 is legally a "child," and must be tried accordingly.

Commenting on that verdict, Dublin-based information security consultant Brian Honan, who's a cybersecurity adviser to Europol, says that seeing suspended sentences frustrates many security professionals and law enforcement officials (see Young Hackers: Jail Time Appropriate?).

"We need to take into account the fact that if teenagers are able to wreak such damage against our systems, it is a sad indictment of the effectiveness of the software and tools that we use to defend our systems," Honan says. "Instead of criticizing the legal system, we should use these cases to take a cold, hard look at ourselves and how we need to place accountability and ownership on those who operate insecure platforms on the Internet ... and how we as an industry need to work together to make our systems easier to secure and more resilient to attacks."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.