Remember how some weeks ago we wrote about the Backpage Seize by the FBI? Today we have another player that got knocked down: WebStresser.org, the popular IP Stresser (DDOS) website, was just seized by law enforcement agencies.
WebStresser.org was selling monthly attack packages that were advertised as legitimate cybersecurity tests tools. In their own words:
webstresser.org is the strongest IP Stresser / Booter on the market, we provide strongest and most reliable server stress testing, with up to 350Gbps!
With spoofed and amplified stress tests we take care of your privacy online.
Our custom coded attack scripts, IP Logger, 24/7 customer service, 37 backend servers, Layer4 and Layer7 stress tests...
European governments working with the US Department of Defense started an investigation last year.
And as of this week, the law enforcement agencies had collected solid evidence to confirm that this wasn't a legitimate service, and was actually used to carry out real DDOS attacks against governments, institutions, schools, and corporations across the globe.
The main goal of a DDOS attack is to shut down your web server traffic. These "stressers" are just tools to flood your webserver with unlimited requests until it can no longer fulfill them, which causes the server to go down and any services running on it being interrupted.
"Operation Power Off" was the name of the procedure that was able to shut down WebStresser.org, and involved arrests of the team behind the site in at least four countries: Canada, Croatia, Serbia, and the UK.
The interface used by WebStresser.org was pretty simple, and didn't require any domain or IP verification in order to confirm whether this supposedly "legitimate" test was launched against a host that really belonged to the user, or if it was indeed an outside victim.
In the app, you would simply type in the host, port, duration of the attack, and then choose the attack method, that could be DNS Amplification, SYN Flood, or HTTP Flood, among others.
Using SecurityTrails we were able to investigate a little bit further and found some interesting details. Check this out:
The WHOIS Data changed days ago
Before the takedown:
Technical Contact DOMAINS WhoisGuard Protected WhoisGuard, Inc. P.O. Box 0823-03411 Panama, Panama PANAMA firstname.lastname@example.org 5078365503
After cops intervention on Apr 25, 2018:
Technical Contact DOMAINS United States Department of Defense Defense Criminal Investigative Service 4800 Mark Center Drive 2 Alexandria, VA UNITED STATES 250,614 email@example.com 19198765774 5
Something that really caught our attention in our historical WHOIS database, however, was an entry from 2015. At that time the domain was not using WHOIS guard protection services:
While we don't know if all the data was real, we started digging and found other domains related to the firstname.lastname@example.org email address:
applestresser.com and sxboot.net seem to be associated with the same email. They were hosted on two different hosting providers for a very short period, with neither one no longer active (expired).
While these two domains don't reveal more details about the real owner as they are no longer active, it seems like a good example of how our historical WHOIS data can be used to investigate and find additional information about anything using simple details like email address, telephone number, address, IP addresses, or DNS servers.
What about you? Do you work for a public security agency, or maybe on the private infosec market?
Start using SecurityTrails today for all your investigations and research.
And if you have a dev team to help you, don't lose more time and start integrating SecurityTrails Intelligence Data into your own apps. Sign up for a free API account today.