Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Emails threatening DDoS allegedly from Phantom Squad

Published: 2017-09-21
Last Updated: 2017-09-21 20:09:42 UTC
by Brad Duncan (Version: 1)
1 comment(s)

Introduction

As a follow-up to one of our June 2017 diaries asking people to forward us any DDoS threats, we received yet another example: 

Date: Tuesday 2017-09-19 at 18:04 UTC
Subject: DDoS Warning
From: <uid101080@web.websupport.sk.>
Message-Id: <1505844251.007448.31360.nullmailer@me>

Hello, [removed]

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Phantom Squad

Your network will be DDoS-ed starting Sept 30st 2017 if you don't pay protection fee - 0.2 Bitcoin @ [removed].

If you don't pay by Sept 30st 2017, attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.

This is not a joke.

 

Details

Since 2017-09-19, at least 4 people have tweeted about the same type of emails, supposedly from Phantom Squad:

This feels like a scam using the notariety of Phantom Squad's name, because the group has gotten some fairly high-profile press coverage in recent years.  In December 2015, Phantom Squad claimed responsibility for a DDoS attack against Xbox Live.  A year later in December 2016, Phantom Squad was apparently involved in a DDoS attack against Steam.  However, I haven't found any evidence yet this group is involved in small business extortion.

Wheter or not this email is legitimate or fake, they all use notariety of the group's name to make the threat sound plausible.

In our June 2017 diary about fake DDoS extortion emails, Johannes Ullrich provides some guidance for people that receive these types of messages.  Tips include:

  • Verify your DDoS plan:  Do you have an agreement with an anti-DDoS provider?  A contact at your ISP?  If so, make sure everything is set up and working right.
  • Attackers often run short tests before launching a DDoS attack.  Can you find any evidence of that?  Has there been a brief, unexplained traffic spike?  If so, take a closer look.  The threat is more serious if you detect an actual test, because the purpose of a test is often to assess the firepower needed to DDoS your network.

Final words

Thanks to everyone who already forwarded examples to us.  As Johannes previously asked in June 2017, please continue to forward us any similar emails.  We can always use the additional data.

A santized copy of our most current example can be found here.  It's in a password-protected zip archive.  If you don't know the password, look here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Keywords:
1 comment(s)
Diary Archives