SAN FRANCISCO (04/20/2000) - Confirming suspicions that the attacks on CNN.com, Yahoo.com Inc. and a handful of other popular Web sites in February were the work of "script kiddies," officials have arrested a 15-year-old Canadian who allegedly bragged about perpetrating at least one of the attacks.
The teen, whose hacker name is "Mafiaboy," was arrested Saturday in Montreal and released Monday after pleading not guilty to charges of two counts of mischief to data in this case, obstruction of the lawful use of data. He is accused of conducting a distributed denial of service, or DDOS, attack on CNN.com and the more than 1,200 sites it hosts worldwide. The attack disrupted access to the sites for more than four hours on February. 8.
The Yankee Group estimated that the attacks cost the industry about $1.2 billion. Mafiaboy allegedly bragged about the attack in Internet Relay Chat forums, even soliciting the names of other sites that were then attacked, according to Michael Lyle, CTO at Recourse Technologies. In an interview after the attacks, Lyle said he had seen snippets of the logs containing the boasts.
"Bragging about your hacking exploits is just classic hacker behavior," says Jennifer Granick, a San Francisco attorney who has defended several hackers.
"You have a young kid who appears to be looking for attention. Both bragging on IRC and doing this kind of attack are ways of obtaining that attention."
The attack used an existing script and required no serious knowledge about computer networks to pull it off. In addition, the attacker's methods were sloppy. "There were pieces left behind on our computer," says Kevin Schmidt, campus network programmer at the University of California at Santa Barbara, where two computers were compromised but only one was used in an attack. "There was some indication that Mafiaboy may have been involved. There are indications but not proof. You have to look at the entire chain of events."
Yahoo was the first site attacked in February, followed over the next two days by eBay.com, Buy.com, Amazon.com, CNN.com and E-Trade.com. The FBI said it also was looking into an attack on Excite.com, which came to light after the first attacks were announced. At the time, ZDNet.com also claimed to have been a victim, but the site was not on a list of targets being investigated by the FBI. A ZDNet spokesman could not immediately be reached for comment, and the FBI refused to comment further on any investigations.
DDOS attacks are designed to shut down target sites by flooding them with traffic. In this case, the victimized sites were not entirely shut down, but most visitors were unable to reach them. The excessive traffic comes from "zombie" or "slave" computers, usually high-speed servers onto which someone has installed software that includes instructions for carrying out an attack.
Charges in other attacks could be filed against Mafiaboy or other suspects, according to Sgt. Gilles Michaud of the Royal Canadian Mounted Police. If convicted, Mafiaboy faces two years in a juvenile detention center. Officials seized his computer and, as a condition of bail, are prohibiting him from using a computer without supervision, connecting to the Internet or entering a computer store. "I'm surprised it took this long to get an arrest.
They had a number of sources of good information," says Amit Yoran, president and cofounder of RIPTech, an outsourced security management company based in Alexandria, Va. Yoran is also a former U.S. Defense Department director and a Pentagon security expert. A skeptical hacker questioned the arrest, wondering why the FBI would tip its hand by arresting one person in connection with only one of the attacks, given that more people could be involved.
"The Feds needed a high-profile bust, thus Mafiaboy gets picked up," according to Cult Hero of Attrition.org. "They made the DOJ/Companies/Media happy. I imagine we will not see charges for the rest levied against Mafiaboy or anyone he gives up."