Thursday, December 30, 2010

Affidavit Details FBI "Operation Payback" Probe 

As part of an international criminal probe into computer attacks launched this month against perceived corporate enemies of WikiLeaks, the FBI has raided a Texas business and seized a computer server that investigators believe was used to launch a massive electronic attack on PayPal,  


The FBI investigation began earlier this month after PayPal officials contacted agents and “reported that an Internet activist group using the names ‘4chan’ and “Anonymous” appeared to be organizing a distributed denial of service (“DDoS”) attack against the company,” according to an FBI affidavit excerpted here.
The PayPal assault was part of “Operation Payback,” an organized effort to attack firms that suspended or froze WikiLeaks’s accounts in the wake of the group’s publication of thousands of sensitive Department of State cables. As noted by the FBI, other targets of this “Anonymous” effort included Visa, Mastercard, Sarah Palin’s web site, and the Swedish prosecutor pursuing sex assault charges against Julian Assange, the WikiLeaks founder.
On December 9, PayPal investigators provided FBI agents with eight IP addresses that were hosting an “Anonymous” Internet Relay Chat (IRC) site that was being used to organize denial of service attacks. The unidentified administrators of this IRC “then acted as the command and control” of a botnet army of computers that was used to attack target web sites.


Federal investigators noted that “multiple, severe DDos attacks” had been launched against PayPal, and that the company’s blog had been knocked offline for several hours. These coordinated attacks, investigators allege, amount to felony violations of a federal law covering the “unauthorized and knowing transmission of code or commands resulting in intentional damage to a protected computer system.”
The nascent FBI probe, launched from the bureau’s San Francisco field office, has targeted at least two of those IP addresses, according to the affidavit sworn by Agent Allyn Lynd.
One IP address was initially traced to Host Europe, a Germany-based Internet service provider. A search warrant executed by the German Federal Criminal Police revealed that the “server at issue” belonged to a man from Herrlisheim, France. However, an analysis of the server showed that “root-level access” to the machine “appeared to come from an administrator logging in from” another IP address.
“Log files showed that the commands to execute the DDoS on PayPal actually came from” this IP, Agent Lynd reported. Two log entries cited in the affidavit include an identical message: “Good_night,_paypal_Sweet_dreams_from_AnonOPs.”


Investigators traced the IP address to Tailor Made Services, a Dallas firm providing “dedicated server hosting.” During a December 16 raid, agents copied two hard drives inside the targeted server. Court records do not detail what was found on those drives, nor whether the information led to a suspect or, perhaps, a continuing electronic trail. In a brief phone conversation, Lynd declined to answer questions about the ongoing denial of service probe.
Search warrant records indicate that agents were authorized to seize records and material relating to the DDoS attacks “or other illegal activities pertaining to the organization “Anonymous” or “4chan.”
A second IP address used by “Anonymous” was traced to an Internet service provider in British Columbia, Canada. Investigators with the Royal Canadian Mounted Police determined that the Canadian firm’s “virtual” server was actually housed at Hurricane Electric, a California firm offering “colocation, web hosting, dedicated servers, and Internet connections,” according to its web site.
FBI Agent Christopher Calderon, an expert on malicious botnets who works from the bureau’s San Jose office, is leading the probe of the second IP (and presumably has seized a server from Hurricane Electric). Hurricane’s president, Mike Leber, did not respond to a message left for him at the firm’s office in Fremont, which is about 20 miles from PayPal’s San Jose headquarters.

 

 

 

 

o
Share/Bookmark

No comments:

Post a Comment