Two prolific hackers have gone public with an offer that’ll make it incredibly easy for anyone to become an evil cyber criminal.
The two web vandals, known as BestBuy and Popopret, are now renting out a monster catalogue of infected bots, primed and ready to wreak havoc for anyone who fancies dropping a crippling DDoS attack on an unsuspecting web service.
What exactly is a DDoS? Let us take you back a couple of months to a prime example.
On 21 October 2016, a Friday like any other, the US Internet went into meltdown. Workers throughout the country trying to visit some of the most trafficked sites and services on the web, the likes of Twitter and Spotify for some end-of-the-week screen relief, were brought to an abrupt halt as their go-to favourites we nowhere to be found. Gone. All gone. Cue a lot of head-scratching, tutting and groaning.
The reason? A crippling cyber attack on Dyn – a relatively unheard-of but integral Internet company that, in short and without going into big nerd speak, enables browsers to connect with some of the most big-time websites out there. They’re the guys that deal with the process between you punching “www.twitter.com” into your browser and then having Twitter open up on their screen. And when that process is broken, you’re not going anywhere, pal.
The successful attackers brought chaos to the web using a technique called Distributed Denial of Service (DDoS), in which thousands upon thousands of nasty bots bring down a service by overwhelming it with traffic. It’s a really effective type of attack, and a pretty simple one too – if you’ve got access an army of gremlin bots at your fingertips. Which, we’re guessing, you don’t.
Oh, wait. Thanks to BestBuy and Popopret, wow you do.
The gruesome twosome - both a part of an infamous hacking forum known as Hell and linked with several previous attacks that resulted in stolen data from a wide range of US companies - advertised their villainous business scheme in a spam campaign over instant messaging service Jabber. They stated that, for a price, they’ll loan you use of their botnet of up to 400,000 bots for a minimum of two weeks. Two weeks is a heck of a long time, when you consider what chaos a one-day attack created for Dyn.
Popopet offered an example of the price plan to Bleeping Computer:
"Price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time is approx 3-4k per 2 weeks."
For those of you scratching your heads as to what a “cooldown time” is, it’s the time between consecutive DDoS attacks that stops any maxed-out connections or bandwidths.
Oh, and in a classic business school seal-the-deal move, they offer free “short test attacks” too. And God knows we’re all suckers for a freebie.
So, four grand for absolute Internet chaos. It might sound like big sum, but does it really seem so out-of-reach for an evil wannabe comic book villain looking for vengeance, or a basement-dwelling mastermind after the twisted gratification of causing online bedlam for hundreds of thousands, if not millions, of web users?
All we’ll say is, we’ve got our fingers crossed we’ve not upset anyone recently.