SWATting Incidents Tied to ID Theft Sites?

Many readers have been asking for an update on the “SWATting” incident at my home last month, in which someone claiming to be me fraudulently reported a home invasion in progress at my address, prompting a heavily armed police response. There are two incremental developments on this story. The first is I’ve learned more about how the hoax was perpetrated. The second is that new clues suggest that the same individual(s) responsible also have been SWATting Hollywood celebrities and posting their personal information on site called exposed.re.

The day before my SWATting, I wrote a story about a site called exposed.su, which was posting the Social Security numbers, previous addresses, phone numbers and other sensitive information on a slew of high-profile individuals, from the director of the FBI to Kim Kardashian, Bill Gates and First Lady Michelle Obama. I wrote about the site by way of explaining that — as painful as it may be to admit — this information should no longer be considered private, because it is available quite cheaply via a number of shady services advertised in underground cybercrime forums.

After migrating the data from Exposed.su to Exposed.re, the curator added [Swatted] notations.

[Swatted] notations were added to celebrity names after Exposed.su became Exposed.re

To illustrate this reality, I pointed to one underground site in particular — the now-defunct ssndob.ru (it is now at another domain) — that could be used to pull all of this information on just about anyone, including all of those whose information was listed at the time on exposed.su. In a follow-up investigation I posted on Mar. 18, 2013, I cited sources who claimed that the DDoS against my site and the simultaneous SWATting attack on my home was in retaliation for my writing about ssndob.ru, which allegedly some of those involved in the attacks prized and did not wish to see shuttered.

Specifically, two different sources placed blame for the attacks on a young hacker named “Phobia,” who they said was part of a group of Xbox gaming enthusiasts who used ssndob.ru to look up Social Security numbers belonging to high-value Xbox account holders — particularly those belonging to Microsoft Xbox Live employees. Armed with that information, and some social engineering skills, the hackers could apparently trick Microsoft’s tech support folks into transferring control over the accounts to the hackers. “I heard he got pissed that you released the site he uses,” one of the sources told me, explaining why he thought Phobia was involved.

Incidentally, two days after my story ran, several news outlets reported that Microsoft had confirmed it is investigating the hacking of Xbox Live accounts belonging to some “high-profile” Microsoft employees, and that it is actively working with law enforcement on the matter.

A little digging suggested that Phobia was a 20-year-old Ryan Stevenson from in Milford, Ct. In that Mar. 18 story, I interviewed Phobia, who confessed to being the hacker who broke into and deleted the Apple iCloud account of wired.com reporter Mat Honan. In subsequent postings on Twitter, Honan expressed surprise that no one else had drawn the connections between Phobia and Stevenson earlier, based on the amount of open source information linking the two identities. In his own reporting on the attack that wiped his iCloud data, Honan had agreed not to name Phobia in return for an explanation of how the hack was carried out.

Geographic distribution of servers observed in Mar. 14, 2013 attack on KrebsOnSecurity. Source: Prolexic

Geographic distribution of servers observed in Mar. 14, 2013 attack on KrebsOnSecurity. Source: Prolexic

The week after my story ran, I heard from someone who lives in Stevenson’s neighborhood and who watched federal agents and police descend on Stevenson’s home on Mar. 20. I was later able to corroborate that information with a police officer in Connecticut, who confirmed that authorities had seized several boxes of items from the Stevenson residence that day.

If Stevenson was as involved as his erstwhile gaming buddies claim, I can’t say that I’m sad to learn that he got his own police raid. However, I do not believe he was the one responsible for sending the emergency response team to my home. I believe that the person or persons responsible is/are still at large, and that Stevenson was merely thrown under the bus as a convenient diversion. But more on that at another time.

At the end of March, exposed.su was shut down, and the content there was migrated over to a new domain — exposed.re. The curator(s) of this site has been adding more celebrities and public figures, but there is another, far more curious, notation on some of the listings at the new version of the site: Several of those named have the designation [Swatted] next to them, including P. Diddy, Justin Timberlake and Ryan Seacrest (see the collage above). It’s worth noting that not all of those listed on exposed.re who were SWATted recently are designated as such on the site.

Could it be that the person who is looking up and posting all of the Social Security and personal information on public figures and celebrities also is involving in SWATting some of these individuals? Given the timeline of these postings and other factors, it seems likely that this is the case, and that this individual has taken to “marking” or “claiming” SWAT attacks against those he’s listed on exposed.re. Only time will tell, I suppose.

I also wanted to set the record straight about how the SWAT event against me was called in. In my initial story, I reported hearing from a policeman who stayed behind to take an official report about the incident that the emergency call had been spoofed to look like it came from my mobile phone. It turns out that this was not how it went down. The FBI and Fairfax County Police officials have declined to release my case file, saying it is connected to an ongoing investigation. But I was able to confirm that the 911 call was actually made via a relay service designed to help deaf and hearing-impaired individuals communicate over the phone.

Anyone can use these telecommunications relay services, also known as “TeleTYpewriter” (TTY) or “ip-relay.” A typical call involves the caller using some kind of instant message client — such as AOL’s AIM Instant Messenger  — to send messages to a relay operator, who in turn reads the messages to the called party. It’s not clear how the SWATter in my case corresponded with the TTY service, but it’s clear that the abuse of TTY services for SWATting and for other forms of fraud has been and remains a persistent problem.

Perhaps the most frustrating aspect of the abuse of TTY services for fraud stems from the rules under which these relay services must operate, rules that practically guarantee the services will be abused by fraudsters. Under rules set by the Federal Communications Commission (FCC), relay operators are forbidden from keeping records of calls — either the text of what was relayed or even the identity or location of the parties on the calls.

According to this Wikipedia article, relay operators also are legally required to relay all communication between parties without making any judgments, cannot refuse to relay what the caller types, and are prohibited from interjecting their opinions about the veracity of the claims or comments made by the caller.

In 2006, the FCC initiated a proceeding to gather public feedback about how to address the abuse of ip-relay services, and in 2009 it began requiring all users of ip-relay services to register their screen names with a default ip-relay provider. It’s unclear how or whether these measures have lessened the amount of abuse that takes places over relay services. It’s also unclear how many of these recent SWATting incidents involved relay services.

Few of the stories about recent celebrity SWATtings have indicated the source of the emergency alert, although TTY services were cited in one high-profile SWAT against actor Ashton Kutcher in Oct. 2012. Interestingly, the abuse of TTY services also was cited in several SWATting cases involving disputes over Xbox Live players in Washington and Florida in 2011 and 2012. As the Seattle Post Intelligencer reported in 2011, disgruntled hackers have been directing SWAT attacks against Microsoft employees who enforce Xbox Live gaming rules. Those attacks also involved the abuse of TTY services.

I sincerely hope law enforcement authorities apprehend those responsible for these reprehensible attacks. They are of course extremely dangerous, but they also cost taxpayers plenty: The FBI estimates that each SWATting incident costs emergency responders approximately $10,000. Taxpayers also pay for the abuse of TTY services, which are reimbursed by the federal government. In 2012, the FCC stated that the average cost of an interstate or intrastate ip-relay call was about $1.29 per minute.

Оставьте комментарий