Slashdot Mirror

← Back to Stories (view on slashdot.org)

CastleCops.com Hit With Reputation-Based Attacks

Posted by Zonk on from the its-a-dirty-web-out-there dept.

An anonymous reader writes "The all-volunteer based online fraud fighting group CastleCops.com is currently the target of ongoing reputation-based attacks in which criminals use phished PayPal accounts to donate thousands of dollars to CastleCops from dozens of victims. This attack appears to be in response to a recent series of failed denial-of-service attacks against the CastleCops, Web site. From the story: 'A few donations were for as little as $1, while other fake donations ranged as high as $2,800. To the victims of the stolen PayPal accounts, it looks as if CastleCops is the one stealing their money, when in reality, it's the attackers. Also, the fraudulent activity seeks to ruin their relationship with PayPal.' In a comment left on Washingtonpost.com's Security Fix blog, CastleCops co-founder Paul Laudanksi says while the group's site remains under a heavy DDoS attack, it is currently down due to a hardware failure, not the attack itself."

23 of 79 comments (clear)

  1. Re:Hobby or business? by Umuri · · Score: 5, Informative

    "CastleCops needs to start treating what they are doing more like a business and less like a hobby."

    Thank you for your very deep and wonderful insight!
    Obviously you have found the core of all their problems was that they obviously don't take what they are doing seriously, and because of that, the groups they are fighting against use sneaky tactics through third party companies to enact harm upon them.

    Because that makes sense and is something they obviously could have stopped if they had only "treated it more like a business", whatever that means. No one knows, because you didn't even elaborate.

    [/sarcasm]

    --
    You never realize how much manually made unmanaged "linked" lists suck, till you have src.link.link.link.link...
  2. You'd think... by ackthpt · · Score: 4, Interesting

    With CastleCops.com as a honeypot, ISPs could be contacted to the origin of the DDoS attacks, PayPal could do some investigating of their own as to the IP origins of donations and do something about this stuff.

    Fer Bob's sakes, this isn't 2001 anymore, when are these companies and perhaps goverment going to make some strides in shutting down bots and zombies?

    --

    A feeling of having made the same mistake before: Deja Foobar
  3. How did we get here? by Anonymous Coward · · Score: 4, Interesting

    How did we arrive at such a completely fucked-up state of affairs, where organized gangs from Russia control what is (arguably) the most powerful supercomputer in existence? How is it that cyber-criminals are able to act with such total impunity? Am I the only person who doesn't understand how this is being ignored amid all the noise about "the war on terror"?

    1. Re:How did we get here? by DragonTHC · · Score: 2, Interesting

      Russia doesn't care about this stuff. They are busy buddying up with china. And, china is busy hacking DoD servers.
      The russian mafia has been in control of the country since the fall of the soviet union. The FSB is made up of former KGB and mafia officers.
      These gangs operate with complete impunity.
      The answer to these problems is physically denying network access to these countries. Turn off their Internet access.
      This creates two problems: Let's see how long russia can go without the Internet, and let's see how long the rest of the world can go without russian porn.
      While it's no surprise that communism creates immoral and unethical people, The US government needs to create a policy that makes sense.

      The US government will not create that policy because russia is up to its old tricks. Russia has resumed bomber patrol flights. Russia is partnering with china in all sorts of treaties. Russia is creating tension over the US planned missile defense station in eastern europe.

      The government, while not the stupid people we believe them to be, will not take steps to aggravate real potential threats against the country.
      Their "war on terror" is just a ploy to trick the American people into stepping up military production.

      Make no mistake, there is a storm brewing between the US and China. Russia has chosen their side. The middle east is the only unsecured front right now. The US is trying to secure it. Iraq is going to be full of air bases and US production facilities.

      So, when organized hacker gangs terrorize American citizens, the US treats it like a civilian law enforcement matter. The US cannot afford to provoke aggression from the Russians.

      --
      They're using their grammar skills there.
  4. In Soviet Russia.... by EricKoh · · Score: 5, Funny

    In Soviet Russia, phishers send you money..

  5. What's wrong with people? by tomstdenis · · Score: 3, Insightful

    Seriously. Is decency at such a low ebb that people have to stoop to attacking victim services and defense organizations? Seriously. Maybe if these people put half the time and energy they did into stealing they could actually get a real job and sleep well for a change instead of ripping people off all the time.

    And while they're at it, they could stop sporging sci.crypt and other groups. That'd be nice. :-)

    --
    Someday, I'll have a real sig.
    1. Re:What's wrong with people? by honeybuttertoast · · Score: 3, Insightful

      get a real job and sleep well for a change

      I'm sure they sleep fine already. On a nice comfy expensive bed.
  6. Modern-day Joe Job by njfuzzy · · Score: 2, Informative

    A few years ago, I got hit with a Joe Job. Someone sent out spam to a very large list, pretending to be me, advertising a service I actually provided then. The email was badly spelled, made the emphasis very unprofessional, and linked to my site. The goal, and maybe the result, was to make me look like an ignorant, asshole spammer. They paaid to do this, though not a lot I imagine. This seems to be a very similar kind of attack.

    --
    My Photography - http://ian-x.com
    The Deathlings (comic) - http://thedeathlings.com
    1. Re:Modern-day Joe Job by tomstdenis · · Score: 5, Informative

      At least your joe-job sounded PG-13. When crypto trolls in sci.crypt wanted me off the scene they posted child porn with my home address and phone number (neither kept secret, but obviously I didn't want them tied to that). After the initial wave of kiddie porn, they decided to re-post my posts in thousands of groups. When my 2nd book was coming out they re-posted a single post I wrote about the book (sans URL) and included the URL. Net result, lots of death threats, spam, hate mail, and low reviews on Amazon from people who have never read the book.

      The sad thing is, if someone really wants to cause hell for another it's not all that hard. 99% of net users are ignorant to how trustworthy things like a "from" address are. In fact, we had to joe-job [privately] one irate poster who kept assuming joe-jobs were impossible with email. So my brother and I sent him emails with his name and address on them. (this was all in private, not public). In the end he told us to leave him alone (and we did) and he never really conceded the point.

      People are dumb. This just proves they're also mean.

      Which is why I study music instead now. The Internet is just too much of a waste.

      --
      Someday, I'll have a real sig.
    2. Re:Modern-day Joe Job by Billosaur · · Score: 3, Insightful

      Which just goes to show what psychologists have known for years: the mob is fickle and easily incited. All you have to do is chant "child porn" and point a finger and the dogs are all over you. What hurts with something like that is that information on the Internet has permanence unlike anything else, which mans even if you clear up a misconception, misunderstanding, or outright fraud, the original information continues to exist and people will still believe. To paraphrase, "a lie repeated often enough starts to sound like the truth."

      --
      GetOuttaMySpace - The Anti-Social Network
  7. Not until a law is passed. by khasim · · Score: 2, Insightful

    It costs the ISP's money to turn off a customer's account ... and then deal with the customer calling and swearing that HIS computer is not the problem.

    The ISP's are NOT going to spend the money UNLESS they're facing larger fines if they do not do so.

    Not to mention that the ISP's usually don't hire the best and brightest out there. I don't believe they could tell the difference between the slashdot effect and a DDoS. How many of the people here would be happy to find out that their they've been cut off because their machines were participating in a "DDoS" of some website? When all they were doing is hitting a site with a story with HUGE graphics?

    1. Re:Not until a law is passed. by apt142 · · Score: 2, Interesting

      It also costs the ISP's money to leave the bot nets up. Imagine how much bandwidth would just free itself up if all the spam, phishing, DDoS, and virus attacks just stopped. I don't know the statistics, but it must make up a shit load of traffic.

      Of course, there is a profit to be made in people upping their connection speeds because their pwnd computer is spewing garbage.

      But, if I were offered a service where I could count on less of this crap clogging up my tubes, I'd take it.

      --
      Star Pirates
    2. Re:Not until a law is passed. by miskatonic+alumnus · · Score: 4, Funny

      I don't know the statistics, but it must make up a shit load of traffic.

      Oh, come on. You just pulled that statistic out of your ass.

    3. Re:Not until a law is passed. by apt142 · · Score: 2, Funny

      And then I just flung it out there!

      --
      Star Pirates
  8. Re:Hobby or business? by gravos · · Score: 5, Insightful

    How about this: Paypal needs to start treating their customer service situation more like a business and less like a hobby.

    --
    This game will waste your life. Don't clicky!
  9. While you were sleeping by packetmon · · Score: 2, Insightful

    You know... A while back I rambled on about lazy ass engineers who have the capability to stop botnet DDoS traffic. Went unanswered, some mumbled those with the capabilities to stop it did nothing. As for the financial fraud occurring, its unfortunate but will likely be resolved too. Its a shame when people go out of their way to make things better only to be trampled upon. Kudos to Castlecop's team for their resiliency. As for the network engineers who peruse this site, this could one day be you too. Think about that before you decide to just brush away calls for assistance when dealing with botnets and attacks.

    --
    Infiltrated dot Net
    1. Re:While you were sleeping by Timothy+Brownawell · · Score: 2

      You know... A while back I rambled on about lazy ass engineers who have the capability to stop botnet DDoS traffic. Went unanswered, ....

      Funny. What makes you think that they have that capability? Even when the traffic is distinct enough to filter, I'd think inspecting it all would take quite a lot more hardware than they're used to using...

    2. Re:While you were sleeping by packetmon · · Score: 2, Informative

      No doesn't take as much as you think. http://www.arbornetworks.com/index.php?option=com_content&task=view&id=56&Itemid=33 If NAP's and NSP's created a policy to their downstreams vis-a-vis this would almost be a thing of the past. http://www.infiltrated.net/?p=23 (warning if you're a network engineer, this will likely piss you off love it or hate it)

      --
      Infiltrated dot Net
  10. Re:I read the topic as "Republican-Based Attack" by geoffrobinson · · Score: 3, Funny

    You've been spending too much time on slashdot.

    --
    Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
  11. Re:Hobby or business? by Umuri · · Score: 2, Insightful

    That may be so, and paypal is more like a free money tree for them, than a hobby.
    In that regard they are treating it exactly like a business, maximum profit for least work. Not a good business, but a profitable one none the less.

    However the GP said that castlecops was the one treating it not like a business. Still not sure what he meant.

    No one questioned paypal's buffoonery

    --
    You never realize how much manually made unmanaged "linked" lists suck, till you have src.link.link.link.link...
  12. Re:It's like raaaiiiiiiiiaaaain by njfuzzy · · Score: 2, Funny

    Oh my god, I made a typo. You have shamed me for life.

    --
    My Photography - http://ian-x.com
    The Deathlings (comic) - http://thedeathlings.com
  13. Re:It's ironic... by Billosaur · · Score: 4, Insightful

    Agreed -- to a point. Phishing is like the Internet equivalent of mugging, in that your money is taken involuntarily, but the fact is, you click the link that enables the phisher to get your cash. People have to be accountable for their own actions. I would give them full refunds, but then if I was PayPal I would flag their accounts and scrutinize every transaction from there on out for at least a year to make sure they didn't repeat the mistake. Maybe after their payments continue to be delayed by the extra processing, the users will think twice before clicking any link. And if they don't, and get bagged again, automatically shut down their account.

    --
    GetOuttaMySpace - The Anti-Social Network
  14. Re:It's ironic... by FrameRotBlues · · Score: 2, Informative
    This article caught my eye because I recently had my PayPal account hacked, and someone tried to withdraw (coincidentally?) $2800. I don't have $2800, so my bank denied the transaction and charged me $35. I immediately logged on to PayPal and they had put up a bunch of verification hoops to jump through, which I gladly did.

    I'm pretty savvy when it comes to phishing, I always hover over questionable links to see where the HTML leads to, and some of the phishing e-mails I get purporting to be PayPal are laughable, rather than laudable. Spelling errors, typos, repeat sentences with different information... I swear, the majority of phishers are complete idiots, and couldn't hold a job at McDonalds if they tried.

    But that really says something about the intelligence of some of those recipients, since some people DO fall for the e-mails.

    FYI, I changed my PayPal password from an 8-digit to a 20-digit, but my bank made the good suggestion that I change bank accounts as well, since that information might not be secure now, either.