At the request of the FBI, Israeli authorities last week arrested Itay Huri and Yarden Bidani, both 18 years old, for operating vDOS, a DDoS-for-hire service that raked in more than half a million dollars in two years.
DDoS attacks flood websites with garbage data in order to disrupt their operation and deny users access.
The pair were questioned and released after posting bond of about US$10,000 each, according to TheMarker, an Israeli news site. In addition, the duo’s passports were seized, they were placed under house arrest for 10 days, and they were barred from using the Internet or any telecommunications equipment for 30 days.
The arrests occurred at around the same time that Krebs on Security published a report on vDOS.
vDOS revenues for the past two years exceeded $600,000, and the service launched more than 150,000 DDoS attacks on behalf of its customers, Krebs reported.
Although malpreneurs have been offering for-hire services for a while, they have begun emerging from the dark corners of the Internet.
“It’s just becoming more mainstream,” said Ram Mohan, chief technology officer at Afilias.
“It used to be only accessible on the dark Web,” he said. “Now it’s becoming accessible on the open Web as well.”
“As a Service” offerings have become popular in the business world because they’re easy to use, and the same is true of the malicious offerings, noted Slawek Ligier, vice president of engineering for security Barracuda Networks.
“You’re being provided with your entire infrastructure — not just a software tool,” he said.
Dollars and Cents
The benefits that are attracting businesses to the cloud also are attracting attackers to as a Service offerings.
“You have no setup costs and you have instant service,” Afilias’ Mohan explained. “You define a time period and target, transfer your money, and off you go. You don’t have to get your hands dirty while you try to take down your opponent.”
For many online criminals, the use of as a Service offerings is a simple matter of dollars and cents, noted Josh Shaul, vice president of product management for security at Akamai.
“You get better return by using these services than you do by trying to build the skills yourself, and build your own tools and use them,” he said.
Pricing strategies for criminal services follow their legitimate counterparts, Mohan added. Discounts are offered if multiple packages are purchased — or if you buy the DDoS and spam bundle, you can get a lower rate.
After Huri and Bidani were arrested, vDOS went dark, Krebs reported.
If it stays offline, it probably won’t have much impact on the DDoS trade other than possibly influencing those selling the service to be more cautious.
“The next set of people that offer a similar set of services will be circumspect,” Afilias’ Mohan said, “but as long as this service is made available at a very low cost of entry, we can expect to see more of such services being offered — not less.”
Although the arrests of the Israeli youths may take one big player off the board, there are many more out there, noted Barracuda’s Ligier.
“It can be difficult to prosecute these people, especially if they’re in countries that are harder to reach than Israel is,” he said.
“If history is any guide, I think there’s already someone who’s stepped in to fill their shoes,” suggested Akamai’s Saul. “You’ll have another vDOS service up in a week that’s offering the same service run by different people.”