Disgruntled ex-employees, DDoS attacks and the revenge of the nerds

They say living well is the best revenge, but as so many of us have come to realize, it isn’t exactly satisfying. Even so, most people would agree living well is preferable to, say, living in prison for the sake of revenge, but for one disgruntled ex-employee, it was apparently a trade he was willing to make.

DDoS attacks have long been a go-to for tech-savvy companies willing to get their hands dirty, whether it’s revenge over business gone bad or a straight-up strategy for taking underhanded aim at the competition. With how cheap and easy it’s become to use DDoS for hire services, pretty much anyone – tech savvy or not – can do serious, long-term damage with a devastating cyberattack.

DDoDamage

Distributed denial of service or DDoS attacks are perhaps unsurprisingly designed to deny the services of a website to its users. This is accomplished using a botnet’s collection of hijacked internet-connected devices to slam the target website’s server or infrastructure with malicious traffic, overwhelming it to the point that it’s too slow to be used or it’s offline altogether.

At one time, launching a DDoS attack required having access to if not writing malware that hijacks those internet-connected devices and having a command and control server for issuing directions to them in order to hurl malicious traffic at the target website – and that’s a DDoS attack in its simplest form. There are all kinds of reflection and amplification techniques used to complicate and intensify attacks, multiple attack vectors can be used, and both the network layer and application layer can be targeted.

In short, launching a distributed denial of service attack used to be reserved for people who really, really know what they’re doing with computers making them potent but at least somewhat rare. That is no longer the case. DDoS for hire services, otherwise known as booters or stressers, rent out the use of a botnet, allowing anyone to essentially type in a URL and hit it with an attack. Prices start at just a few dollars for a short, low-volume burst and go into the hundreds for longer more powerful assaults. Like the kind purchased by our disgruntled ex-employee and soon-to- be current felon.

An employee scorned

Beginning in 2015, Washburn Computer Group, a computer system repair firm in Minnesota, began experiencing shutdowns of a number of their websites. Along with these shutdowns, Washburn received emails tauntingly asking if they were experiencing any ongoing IT issues. These emails were somewhat incomprehensibly accompanied by an image of a laughing mouse.

The server log files didn’t reveal much about the culprit thanks to an anonymizing service, those laughing mouse emails left a trail of IP address crumbs that led directly to former Washburn employee John K. Gammell. Gammell had worked for the firm for 17 years and though he apparently left on good terms, a dispute over payment for training services turned ugly enough that he allegedly enlisted the services of seven booters, spending up to $200 per month on his three favorite booters for a DDoS campaign that lasted a year and four months. In addition to Washburn, Gammell allegedly targeted a number of banks, several employment contracting services he’d done work for, and the Minnesota Judicial Branch.

Gammell is charged with knowingly causing damage without authorization to a protected computer. He recently rejected a plea deal that would have capped his potential prison sentence at 15-17 years.

A dish best not served

The case against Gammell is the first of its kind in Minnesota. He joins the ranks of the Lizard Squad, a hacker group who targeted the UK’s National Crime Agency’s website with a DDoS attack in retaliation for arrests of its DDoS for hire users as famous perpetrators of DDoS revenge attacks.

These instances of perpetrators actually being identified have garnered plenty of publicity, but it’s because they’re so rare. For every John K. Gammell facing prison time, there is an untold number of websites and organizations dealing with the crippling effects of these attacks. In Washburn’s case, Gammell’s attacks cost them approximately $15,000. That estimate probably doesn’t even account for the long-term damage done to customer loyalty, especially considering Washburn specializes in computer repairs. Customer frustration and loss of loyalty often ends up being the highest cost of a successful DDoS attack amongst costs that can soar to $100,000 for every minute of downtime.

With how easy it is to partake in the services of a booter, and with the ever-increasing size and might of Internet of Things botnets powering some booters, nearly every website on the internet is a potential target as well as every business with an online presence or connectivity, whether it’s because of revenge-motivated reasons, competition, hacktivism, the draw of social media attention, or random DDoS ransom notes. Meanwhile, there’s a good possibility there will be important evidence suppressed in the case against Gammell, if the charges aren’t dropped altogether, because some of the evidence was obtained in a hack of one of the DDoS for hire services, making it fruit of a poisoned tree. That is the current state of justice in this world of ever-increasing DDoS threats.