Targeted messages, such as via Google adverts – like a tap on the shoulder when young gamers are showing an interest in what could turn into cyber-crime – can be surprisingly effective, academic research suggests. Meanwhile high-profile arrests and sentencing of cybercriminals only lead to a short drop in the number of cyber-attacks. Likewise, the takedown of infrastructure is strongly associated with a sharper and longer-term reduction in attack numbers.
For just a few dollars, almost anyone can become involved in cybercrime through the use of ‘booter’ service websites, where users can purchase targeted denial of service (DoS) attacks. A DoS attack generates large amounts of traffic which overwhelm end users or web services, taking them offline. DoS attacks have been used as a protest tactic, but because of booter services and relative ease of using them, they are commonly used by users of gaming sites, as a form of retaliation against other users – the largest booter provider carries out between 30,000 and 50,000 such attacks every day. While DoS attacks are usually targeted at a specific end users, they can often cause collateral damage, knocking out other users or systems.
Ben Collier, Daniel Thomas, Richard Clayton and Alice Hutchings presented a paper, ‘Booting the Booters: Evaluating the Effects of Police Interventions in the Market for Denial-of-Service Attacks’, at the ACM Internet Measurement Conference 2019 in Amsterdam.
Ben Collier from the University of Cambridge’s Department of Computer Science and Technology, the paper’s first author said: “Law enforcement are concerned that DoS attacks purchased from a booter site might be like a ‘gateway drug’ to more serious cybercrime. A big problem is that there is still relatively little evidence as to what best practice looks like for tackling cybercrime.”
From late December 2017 to June 2018, the NCA bought targeted Google adverts aimed at young men in the UK. When a user searched for booter services, a targeted advert popped up, explaining that DoS attacks are illegal. It seemed to work, said Collier: “It might not work for people who are already involved in this type of cyber-crime, but it appeared to dramatically decrease the numbers of new people getting involved.”
Dr Daniel Thomas from the University of Strathclyde’s Department of Computer and Information Sciences said: “Even people running booter services think that booting is lame. This makes the market particularly vulnerable to disruption.”
Collier and his colleagues from the Cambridge Cybercrime Centre used two datasets with granular data about the attacks from booter sites, and modelled how the data correlated with intervention tactics from the UK’s National Crime Agency (NCA), the Federal Bureau of Investigation (FBI) in the United States, and other international law enforcers. While operating a booter service or purchasing a DoS attack is illegal in most jurisdictions, earlier research has found that most booter operators were unconcerned about the possibility of police action against them.
The researchers found that arrests only had a short-term effects on the volume of DoS attacks – about two weeks – at which point activity went back to normal. Sentencing had no widespread effect, as attackers in one country weren’t affected by sentences in another country.
Taking down infrastructure – as the FBI did at the end of 2018 – had a far more noticeable effect, and suppressed the booter market for months. Collier said: “This FBI action also reshaped the market: before, it was what you’d expect in a mature ecosystem, where there several large booter services and lots of smaller ones. But now there’s really just one large booter service provider, and you’re starting to see a few smaller ones start to come back.”
