UK Sets Up Fake Booter Sites To Muddy DDoS Market (krebsonsecurity.com) 47
An anonymous reader quotes a report from KrebsOnSecurity: The United Kingdom's National Crime Agency (NCA) has been busy setting up phony DDoS-for-hire websites that seek to collect information on users, remind them that launching DDoS attacks is illegal, and generally increase the level of paranoia for people looking to hire such services. The NCA says all of its fake so-called "booter" or "stresser" sites -- which have so far been accessed by several thousand people -- have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks.
"However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators," reads an NCA advisory on the program. "Users based in the UK will be contacted by the National Crime Agency or police and warned about engaging in cyber crime. Information relating to those based overseas is being passed to international law enforcement." The NCA declined to say how many phony booter sites it had set up, or for how long they have been running. The NCA says hiring or launching attacks designed to knock websites or users offline is punishable in the UK under the Computer Misuse Act 1990. "Going forward, people who wish to use these services can't be sure who is actually behind them, so why take the risk?" the NCA announcement continues.
"However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators," reads an NCA advisory on the program. "Users based in the UK will be contacted by the National Crime Agency or police and warned about engaging in cyber crime. Information relating to those based overseas is being passed to international law enforcement." The NCA declined to say how many phony booter sites it had set up, or for how long they have been running. The NCA says hiring or launching attacks designed to knock websites or users offline is punishable in the UK under the Computer Misuse Act 1990. "Going forward, people who wish to use these services can't be sure who is actually behind them, so why take the risk?" the NCA announcement continues.
So baiting is legal in the UK? (Score:1)
In some countries it's illegal to bait criminals.
Re:So baiting is legal in the UK? (Score:5, Informative)
In some countries it's illegal to bait criminals.
Entrapment is illegal. This isn't entrapment.
Entrapment lures people into a crime they were not already predisposed to commit. The people going to DDOS websites are already predisposed and looking to take action. If not for the fake sites, they would find a real DDOS provider instead.
Re: (Score:2, Insightful)
The people going to DDOS websites are already predisposed and looking to take action.
Not necessarily, they may simply be curious or working as researchers. They've done nothing wrong until they hit the point of actually ordering an attack.
Re: (Score:2)
They've done nothing wrong until they hit the point of actually ordering an attack.
And as they've done nothing wrong they wouldn't be charged with a crime either. And if they actually ordered an attack the idea that they are simply curious or researchers suddenly becomes laughable.
"Your Honour I was just curious what that person's brains would look like splattered against the wall. I'm not a murderer honestly!"
Re: (Score:2)
And if they actually ordered an attack the idea that they are simply curious or researchers suddenly becomes laughable.
What if a researcher orders an attack on their own site or a client's site. That sounds like exactly the sort of thing a security researcher would be meant to do. Similar question I suppose about hiring a hitman to kill ones self. Suicide might be illegal, and there might be various peripheral charges of various kinds around hiring a hitman (conspiracy to commit money laundering, since you might have to pay them anonymously?), and charges related to endangering public safety, etc., but could they actually c
Re: (Score:2)
The people going to DDOS websites are already predisposed and looking to take action.
Not necessarily, they may simply be curious or working as researchers. They've done nothing wrong until they hit the point of actually ordering an attack.
Not even necessarily at that time. If they order an attack with permission if the suite owner and access provider, that would be legal too. Of course, it may even be legal to order an attack in some countries against "enemies of the people" (or similar crap ideas)...
The point is that legality is a pretty bad (as so often) criterion. The police pretending to be something they are not is universally a bad idea though.
Re: (Score:2)
Entrapment is the RICO of lupus
Re: (Score:2)
It is a slippery slope. If actions like this are legal, then there is something seriously wrong with the legal system in question.
Re: (Score:2, Insightful)
Why, do criminals deserve a sporting chance? ;^)
Entrapment is if you're induced/lured/manipulated into doing something you wouldn't otherwise do. Fake stresser sites aren't an attractive nuisance you just stumble upon. Besides that, no crime has actually occurred since the sites are fake, and having a law agent wag their finger warning you about cybercrime isn't a prosecution by the court.
So if it's illegal... (Score:2)
"Going forward, people who wish to use these services can't be sure who is actually behind them, so why take the risk?"
What risk? Nothing's gonna happen.
Re: (Score:2)
Re: So if it's illegal... (Score:1)
That's not likely to work. You're more likely to end up with a charge for conspiracy.
Re:So if it's illegal... (Score:4, Insightful)
why aren't they charging anyone?
Because no one has yet committed a crime.
Deterrence is way cheaper than prosecuting and imprisoning people. Perhaps that's something the USA can learn from the UK.
Re: (Score:2)
Re: (Score:3)
Yes. Arresting people for writing mean things on twitter. That's what USA needs more of.
Ron DeSantis agrees with you [cnn.com]. Arrest and imprison people who note what a liar you are.
Re: (Score:2)
> Ron DeSantis agrees with you [cnn.com]. Arrest and imprison people who note what a liar you are.
The article you linked says the law makes actionable "reckless disregard for the truth" which is currently protected speech by profit-making news organizations.
Which is the opposite of your claim here. Is DeSantis Derangement Syndrome already a thing? I figured he'd have to run for President at least before that got off the ground.
Let's hope he doesn't run.
Do you think a news organization ruthlessly lying
Re: (Score:2)
Riiiight. Of course it is. And guess who will claim anything which isn't absolutely, 100% correct is "reckless disregard for the truth". In DeSantis' world, anything which will make him look bad is "reckless disregard". Why do you think he and the legislature are working to pass a law to prohibit his travel records from public view [tampabay.com]? Now guess
Re: (Score:2)
Couldn't you find a screed that at least said what the bill would change, instead of complaining on the vaguest possible terms?
Still, the CNN piece you linked to is about defamation, which is a civil cause of action rather than a crime. Nobody gets arrested or imprisoned in a civil lawsuit.
If you insist on crying whatabout, you should at least make it a relevant whatabout.
Slap him down now (Score:2)
Re:So if it's illegal... (Score:5, Insightful)
What they've done instead is put some red flags against a several thousand names that have, in effect, already received their first legal warning, and therefore are going to get a lot less sympathy from a court if they subsequently get caught and prosecuted for cybercrime later. There's also the possibility that a few of the people they ID might already be on similar watchlists or under caution which that might lead to actual prosecutions, but that's not the job of the NCA, it's down to the police and Crown Prosecution Service in the UK (or the other legal authorities being notified oversea), who would almost certainly both be provided with the details. Whether they join the dots is another matter, of course.
It's not a bad idea, really. Low cost, low effort and, IMHO, a low level of deterrance factor too, but the real value is probably going to be those red flags and watchlists for any subsequent prosecutions of those that don't heed the warning and continue on down the cybercrime rabbit hole.
Re: (Score:3)
why aren't they charging anyone?
"Going forward, people who wish to use these services can't be sure who is actually behind them, so why take the risk?"
What risk? Nothing's gonna happen.
This - the people registering are not given tools, and they are reminded that what they might be trying to do is illegal. You register to get the tools, and then you become interesting, but you don't get the tools.
Carry on, lads (Score:5, Funny)
If I didn't know better, I'd assume a "booter site" was just Cockney slang for something else entirely. Probably butt stuff.
Re: (Score:1)
"fruit booter" is American skater slang for rollerbladers who do tricks...
Re: (Score:2)
There I was in the old rub a dub dub 'avin a pig's ear when who should I see but ol' 'arry, 'im with the big barnet what used to be a bottle stopper. So I goes over for a bit of a natter, 'e tells me 'e's only gone and got 'imself cut and carried, even 'as a coupla dustbin lids and a basin of gravy on the way. Good on yer 'arry I says, but I reckon it's yer round. Get off, sling yer 'ook 'e says. Alright alright, wind yer neck in says I, and it's back to the lads at the bar. Same ol' 'arry, I tells em. Utte
Charge in bitcoin. (Score:2)
Solution: Accept the order and payment then tell them "Nah". Tell them to come to UK if they want to sue.
Re: (Score:2)
Not really - the NCA most definitely talks to Europol and others - given the UK is usually the USA's lapdog, I'd imagine the NCA also talks to the FBI quite a bit too.
Granted, a hacker in NK, Iran or Russia isn't likely to be arrested and charged *anywhere* - but identifying them, and being clear that they're in one of those countries (with some actual proof) makes things diplomatically less peachy for those countries. It's possible said hacker is not state run, and maybe not even particularly known to the
Re:Turning a blind eye to the Ukraine fanboys (Score:4, Insightful)
Nobody cares about Russia, really. The sooner they disappear from the internet, the better. If they want to roll their own, fine by me, nobody's gonna miss that failed state.
Re: (Score:2)
The sooner they disappear from the internet, the better.
So, you're in favor of the Russian government cutting off all outside information from the Russian people, in order to control the narrative? How very Orwellian of you.
Re: (Score:2)
As long as the Russian trolls vanish as well... Quite frankly, anyone who understood that this country is going to hell in a handbasket left long ago. What's left now is pretty much what's left.
Re: (Score:2)
To prosecute a crime across jurisdictional borders requires cooperation of law enforcement agencies, and a crime that's both illegal in both jurisdictions and sufficiently serious to be worth the effort and cost on both sides to pursue it.
A better idea? (Score:2)
Re:A better idea? (Score:4, Insightful)
The police ransoming people, a better idea ?
Re: (Score:2)
So some idiot post it to /. (Score:2)
Re: (Score:2)
Now everyone knows about it. Also how is this not entrapment? (illegal in the UK as far as I understand it, not being a lawyer)
People don't get arrested for going to the site or even registering. They get no tools to perform DDos. They are told it is illegal. That would have to be the weakest form of entrapment ever.
Re:So some idiot post it to /. (Score:4, Informative)
Also how is this not entrapment? (illegal in the UK as far as I understand it, not being a lawyer)
You answered your own question. Since you're not a lawyer, and apparently haven't studied the basics of law, entrapment occurs when someone is enticed to do something they weren't already disposed to do. This comic [tumblr.com] illustrates several examples of people NOT being entrapped.
Study hard. A test will be given tomorrow. It will be multiple choice and there is no curve.
Re: (Score:2)
...And the next thing she knew, she was in handcuffs!
"Hey, that costs extra!"
Re: (Score:2)
I loved this example from Breaking Bad.
Badger gets busted [youtube.com]
If you ask a cop if he's a cop, he's, like, obligated to tell you. It's in the Constitution.
The Constitution of America? Huh?
So go ahead and ask
You a cop?
No, no, not like that. Ask it, like, official.
Are you a police officer?
No, I am not a police officer.
Okay, then. Hundred and seventy-five for a teenth
Whoah
The price is the price , yo.
All right.
There ya' go. Enjoy.
DDoS industry kite mark (Score:5, Funny)
LOL (Score:2)
"Users based in the UK will be contacted by the National Crime Agency or police and warned about engaging in cyber crime. "
No, they will not.
They use a VPN and the UK government will complain that the VPN doesn't 'want' to give them their details.
Perhaps they'll catch a teen of 2.
Fake Boober Sites (Score:2)
I misread it as booster. (Score:2)
2 much COVID-19 stuff! :(