Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security The Internet United Kingdom

UK Sets Up Fake Booter Sites To Muddy DDoS Market (krebsonsecurity.com) 47

An anonymous reader quotes a report from KrebsOnSecurity: The United Kingdom's National Crime Agency (NCA) has been busy setting up phony DDoS-for-hire websites that seek to collect information on users, remind them that launching DDoS attacks is illegal, and generally increase the level of paranoia for people looking to hire such services. The NCA says all of its fake so-called "booter" or "stresser" sites -- which have so far been accessed by several thousand people -- have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks.

"However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators," reads an NCA advisory on the program. "Users based in the UK will be contacted by the National Crime Agency or police and warned about engaging in cyber crime. Information relating to those based overseas is being passed to international law enforcement." The NCA declined to say how many phony booter sites it had set up, or for how long they have been running. The NCA says hiring or launching attacks designed to knock websites or users offline is punishable in the UK under the Computer Misuse Act 1990. "Going forward, people who wish to use these services can't be sure who is actually behind them, so why take the risk?" the NCA announcement continues.

This discussion has been archived. No new comments can be posted.

UK Sets Up Fake Booter Sites To Muddy DDoS Market

Comments Filter:
  • In some countries it's illegal to bait criminals.

    • by ShanghaiBill ( 739463 ) on Wednesday March 29, 2023 @12:54AM (#63407970)

      In some countries it's illegal to bait criminals.

      Entrapment is illegal. This isn't entrapment.

      Entrapment lures people into a crime they were not already predisposed to commit. The people going to DDOS websites are already predisposed and looking to take action. If not for the fake sites, they would find a real DDOS provider instead.

      • Re: (Score:2, Insightful)

        by Bert64 ( 520050 )

        The people going to DDOS websites are already predisposed and looking to take action.

        Not necessarily, they may simply be curious or working as researchers. They've done nothing wrong until they hit the point of actually ordering an attack.

        • They've done nothing wrong until they hit the point of actually ordering an attack.

          And as they've done nothing wrong they wouldn't be charged with a crime either. And if they actually ordered an attack the idea that they are simply curious or researchers suddenly becomes laughable.

          "Your Honour I was just curious what that person's brains would look like splattered against the wall. I'm not a murderer honestly!"

          • by tragedy ( 27079 )

            And if they actually ordered an attack the idea that they are simply curious or researchers suddenly becomes laughable.

            What if a researcher orders an attack on their own site or a client's site. That sounds like exactly the sort of thing a security researcher would be meant to do. Similar question I suppose about hiring a hitman to kill ones self. Suicide might be illegal, and there might be various peripheral charges of various kinds around hiring a hitman (conspiracy to commit money laundering, since you might have to pay them anonymously?), and charges related to endangering public safety, etc., but could they actually c

        • by gweihir ( 88907 )

          The people going to DDOS websites are already predisposed and looking to take action.

          Not necessarily, they may simply be curious or working as researchers. They've done nothing wrong until they hit the point of actually ordering an attack.

          Not even necessarily at that time. If they order an attack with permission if the suite owner and access provider, that would be legal too. Of course, it may even be legal to order an attack in some countries against "enemies of the people" (or similar crap ideas)...
          The point is that legality is a pretty bad (as so often) criterion. The police pretending to be something they are not is universally a bad idea though.

      • Entrapment is the RICO of lupus

      • by gweihir ( 88907 )

        It is a slippery slope. If actions like this are legal, then there is something seriously wrong with the legal system in question.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Why, do criminals deserve a sporting chance? ;^)
      Entrapment is if you're induced/lured/manipulated into doing something you wouldn't otherwise do. Fake stresser sites aren't an attractive nuisance you just stumble upon. Besides that, no crime has actually occurred since the sites are fake, and having a law agent wag their finger warning you about cybercrime isn't a prosecution by the court.

  • why aren't they charging anyone?

    "Going forward, people who wish to use these services can't be sure who is actually behind them, so why take the risk?"

    What risk? Nothing's gonna happen.

    • by kmoser ( 1469707 )
      People can always claim they're phishing for into about the DDoS providers in order to turn them over the authorities.
    • by ShanghaiBill ( 739463 ) on Wednesday March 29, 2023 @12:57AM (#63407978)

      why aren't they charging anyone?

      Because no one has yet committed a crime.

      Deterrence is way cheaper than prosecuting and imprisoning people. Perhaps that's something the USA can learn from the UK.

      • Yes. Arresting people for writing mean things on twitter. That's what USA needs more of.
        • Yes. Arresting people for writing mean things on twitter. That's what USA needs more of.

          Ron DeSantis agrees with you [cnn.com]. Arrest and imprison people who note what a liar you are.

          • > Ron DeSantis agrees with you [cnn.com]. Arrest and imprison people who note what a liar you are.

            The article you linked says the law makes actionable "reckless disregard for the truth" which is currently protected speech by profit-making news organizations.

            Which is the opposite of your claim here. Is DeSantis Derangement Syndrome already a thing? I figured he'd have to run for President at least before that got off the ground.

            Let's hope he doesn't run.

            Do you think a news organization ruthlessly lying

            • The article you linked says the law makes actionable "reckless disregard for the truth" which is currently protected speech by profit-making news organizations.

              Riiiight. Of course it is. And guess who will claim anything which isn't absolutely, 100% correct is "reckless disregard for the truth". In DeSantis' world, anything which will make him look bad is "reckless disregard". Why do you think he and the legislature are working to pass a law to prohibit his travel records from public view [tampabay.com]? Now guess
          • by Entrope ( 68843 )

            Couldn't you find a screed that at least said what the bill would change, instead of complaining on the vaguest possible terms?

            Still, the CNN piece you linked to is about defamation, which is a civil cause of action rather than a crime. Nobody gets arrested or imprisoned in a civil lawsuit.

            If you insist on crying whatabout, you should at least make it a relevant whatabout.

      • The problem is that you have a jerk who's clearly looking to cause trouble, in your sights right now. We should "sting" him and put him away. The jailing cost doesn't matter because he's going to harm good people in the future.
    • by Zocalo ( 252965 ) on Wednesday March 29, 2023 @02:07AM (#63408042) Homepage
      Just signing up to a site like this isn't illegal. Legit security researchers like Brian Krebs who wrote TFA do this all the time, and it'd be pretty hard to prosecute based purely on intent just because of a website sign-up. If they were to offer actual services, as the FBI has done with some seized darkweb sites, then you're potentially opening the door for an entrapment defense - plus have to deal with some of the blowback the FBI got from their efforts, which wasn't all that much really.

      What they've done instead is put some red flags against a several thousand names that have, in effect, already received their first legal warning, and therefore are going to get a lot less sympathy from a court if they subsequently get caught and prosecuted for cybercrime later. There's also the possibility that a few of the people they ID might already be on similar watchlists or under caution which that might lead to actual prosecutions, but that's not the job of the NCA, it's down to the police and Crown Prosecution Service in the UK (or the other legal authorities being notified oversea), who would almost certainly both be provided with the details. Whether they join the dots is another matter, of course.

      It's not a bad idea, really. Low cost, low effort and, IMHO, a low level of deterrance factor too, but the real value is probably going to be those red flags and watchlists for any subsequent prosecutions of those that don't heed the warning and continue on down the cybercrime rabbit hole.
    • why aren't they charging anyone?

      "Going forward, people who wish to use these services can't be sure who is actually behind them, so why take the risk?"

      What risk? Nothing's gonna happen.

      This - the people registering are not given tools, and they are reminded that what they might be trying to do is illegal. You register to get the tools, and then you become interesting, but you don't get the tools.

  • by Powercntrl ( 458442 ) on Tuesday March 28, 2023 @10:55PM (#63407878) Homepage

    If I didn't know better, I'd assume a "booter site" was just Cockney slang for something else entirely. Probably butt stuff.

    • "fruit booter" is American skater slang for rollerbladers who do tricks...

    • by pr0nbot ( 313417 )

      There I was in the old rub a dub dub 'avin a pig's ear when who should I see but ol' 'arry, 'im with the big barnet what used to be a bottle stopper. So I goes over for a bit of a natter, 'e tells me 'e's only gone and got 'imself cut and carried, even 'as a coupla dustbin lids and a basin of gravy on the way. Good on yer 'arry I says, but I reckon it's yer round. Get off, sling yer 'ook 'e says. Alright alright, wind yer neck in says I, and it's back to the lads at the bar. Same ol' 'arry, I tells em. Utte

  • Any people after this service have to be identified & in the UK to make prosecution likely.

    Solution: Accept the order and payment then tell them "Nah". Tell them to come to UK if they want to sue.
    • Not really - the NCA most definitely talks to Europol and others - given the UK is usually the USA's lapdog, I'd imagine the NCA also talks to the FBI quite a bit too.

      Granted, a hacker in NK, Iran or Russia isn't likely to be arrested and charged *anywhere* - but identifying them, and being clear that they're in one of those countries (with some actual proof) makes things diplomatically less peachy for those countries. It's possible said hacker is not state run, and maybe not even particularly known to the

  • Rather than warn them, take their money and do nothing, perhaps even ask for more money in return for not making their names public. That ought to make more people think twice about doing it again.
    • Re:A better idea? (Score:4, Insightful)

      by Professeur Shadoko ( 230027 ) on Wednesday March 29, 2023 @02:53AM (#63408072)

      The police ransoming people, a better idea ?

      • Cheaper than prosecuting them, probably close to as effective. I'm sorry, but if you decide to spend your money on DDoS'ins a site, you deserve to lose the money you spent on the DDoS, perhaps some more. Maybe next time, you will think twice before you do it again. Note that I am not advocating that the police solicit you to do it, just that they setup honey pots for you to find, if you are in fact looking to DDoS a site.
  • Now everyone knows about it. Also how is this not entrapment? (illegal in the UK as far as I understand it, not being a lawyer)
    • Now everyone knows about it. Also how is this not entrapment? (illegal in the UK as far as I understand it, not being a lawyer)

      People don't get arrested for going to the site or even registering. They get no tools to perform DDos. They are told it is illegal. That would have to be the weakest form of entrapment ever.

    • by quonset ( 4839537 ) on Wednesday March 29, 2023 @06:07AM (#63408294)

      Also how is this not entrapment? (illegal in the UK as far as I understand it, not being a lawyer)

      You answered your own question. Since you're not a lawyer, and apparently haven't studied the basics of law, entrapment occurs when someone is enticed to do something they weren't already disposed to do. This comic [tumblr.com] illustrates several examples of people NOT being entrapped.

      Study hard. A test will be given tomorrow. It will be multiple choice and there is no curve.

      • ...And the next thing she knew, she was in handcuffs!

        "Hey, that costs extra!"

      • I loved this example from Breaking Bad.
        Badger gets busted [youtube.com]

        If you ask a cop if he's a cop, he's, like, obligated to tell you. It's in the Constitution.
        The Constitution of America? Huh?
        So go ahead and ask
        You a cop?
        No, no, not like that. Ask it, like, official.
        Are you a police officer?
        No, I am not a police officer.
        Okay, then. Hundred and seventy-five for a teenth
        Whoah
        The price is the price , yo.
        All right.
        There ya' go. Enjoy.

  • by MancunianMaskMan ( 701642 ) on Wednesday March 29, 2023 @04:04AM (#63408140)
    it seems the hard-working Booter and DDoS industry needs some sort of certification scheme where would-be attackers can see that the site they're signing up with is certified Evil(TM) and not some pretend do-gooders or the cops.
  • "Users based in the UK will be contacted by the National Crime Agency or police and warned about engaging in cyber crime. "

    No, they will not.
    They use a VPN and the UK government will complain that the VPN doesn't 'want' to give them their details.

    Perhaps they'll catch a teen of 2.

  • are what the people want
  • 2 much COVID-19 stuff! :(

He who has but four and spends five has no need for a wallet.

Working...