A dish served hot: revenge made easy with DDoS-for-hire

No matter how nice we all like to think we are, every last one of us occasionally dreams up an elaborate revenge fantasy, one that wreaks true havoc on the ones we feel have wronged us. Most of us will never follow through on these schemes. We’ll never send anything odious through the mail or have a non-stop barrage of pizzas delivered or take aim at someone’s livelihood through the anonymity of the internet.

However, some of us will, and with how easy DDoS-for-hire services have made it for serious damage to be done to a business or website, anyone looking to exact ruthless revenge has access to a very effective shortcut.

Complex roots

A distributed denial of service (DDoS) attack is a complicated thing. To begin with, a botnet needs to assembled. Malware needs to be written and that malware then needs to spread, infecting tens of thousands, even hundreds of thousands of devices and allowing them to be controlled remotely as a group so their collective computing resources can be aimed at a target in the form of a huge amount of malicious traffic. With this traffic, the person or persons behind the attack intend to overwhelm the network infrastructure or server and take the target offline.

Even without saying anything of amplification or reflection techniques to make attacks bigger or the little tricks used to exhaust server-side resources with minimal resources on the attacker’s part, DDoS attacks are crafty and complex. They used to require a high level of technical know-how, but thanks to the ingenuity of the minds behind DDoS attacks that is no longer true.

Made basic by booters

DDoS-for-hire services are otherwise known as booters or stressers. With a booter, basically anyone with an internet connection can pay a fee that ranges from a few dollars to a few thousand dollars for the use of a botnet. Once the fee has been paid, all a user has to do is type in the URL of the site they want to slam with a DDoS attack, hit enter, and the deed is done.

There are many reasons a person would use a DDoS-for-hire service: for fun, for mayhem, to send DDoS ransom notes and, notably, revenge.

A man scorned

In a famous case of DDoS revenge, Minnesotan John Gammell recently pleaded guilty to computer-related offences involving the DDoS attacks he’d been launching for over two years. These attacks were largely accomplished using booters including the now-infamous vDOS, one of the most powerful DDoS-for-hire services for four years prior to the hack that publicized its list of customers.

Gammell’s main target was a former employer, one he’d had a falling-out with over training he thought he was going to provide. Gammell also blasted attacks at the websites of businesses he perceived as competition for his business, companies that opted to not hire him, the Hennepin County sheriff’s office, and Minnesota state courts. Apparently pleased with his bought and paid-for shenanigans, Gammell couldn’t stop himself from sending taunting emails to his former employer, complete with the image of a laughing mouse.

It was those taunting emails that ultimately proved to be Gammell’s undoing, as law enforcement was able to link the accounts to Gammell after serving Yahoo and Gmail with subpoenas. Laughing mouse indeed.

The key takeaway

Given that he targeted law enforcement agencies as well as the silliness of how he was caught, it must be surmised that John Gammell is not an overwhelmingly brilliant man. Nevertheless, he was able to disrupt his former employer’s website for over a year thanks to DDoS-for-hire services. Since that former employer is a computer repair business, these repeated successful DDoS attacks likely did untold damage to the business in the form of undermined customer loyalty.

Website and business owners need to be aware that anyone, anyone, can do tremendous, lasting damage with a distributed denial of service attack, even if they’d barely heard of a distributed denial of service attack prior to making a quick Bitcoin payment and pasting a URL into a booter. Without professional DDoS mitigation, a website can very easily find itself on the receiving end of revenge served piping hot.

About Author