Naked Security Naked Security

Have the cops busted one of the Lizard Squad?

The "Lizard Squad" took out Microsoft's and Sony's games networks on Christmas Day. Everyone involved knew in advance that law enforcement would be *very* interested in whodunnit...

You’ve almost certainly heard of the “Lizard Squad.”

That’s the collective term used by a group of cybervandals who clogged up the gaming networks of Sony and Microsoft last Christmas (25 December 2014).

By acquiring access to a botnet – which typically means 10,000 or more malware-infected, zombified computers that can all be commanded in unison – cybervandals can aim thousands, perhaps even millions, of simultaneous but fraudulent web requests at a server, over and over again.

That’s a special sort of Denial of Service (DoS) attack known as a DDoS, pronounced dee-doss, where the extra D stands for “Distributed.”

It’s distributed because the bogus requests typically come from all over the internet, so there is no obvious pattern to the attack, making it tricky to filter out.

And it’s a denial of service because every fraudulent request submitted by the crooks puts one or more legitimate users further back in the queue.

Genuine customers are denied access; and the company being attacked is denied the right to do business.

DDoS as a hack

For the record, mounting a DDoS doesn’t really count as hacking.

We don’t want to make hacking, in the perjorative, break-and-enter sense, sound somehow more glamorous, up-market or acceptable, but the difference is important.

As Mark Stockley explained [10’00”] in the final Chet Chat podcast of 2014:

This isn't a hack in the sense that we normally use the word hack to refer to some sort of breach or unauthorised entry. Lizard Squad didn't gain entry to any Microsoft data or Sony data. They didn't breach any Microsoft systems or Sony systems. They weren't picking the lock; they were barricading the door from the outside.

Nevertheless, a DDoS can be enormously financially disruptive, even though the attackers never actually manage to break into your network at all.

That’s why joining in a DDoS is a crime in many countries.

So everyone involved in the Christmas attack knew perfectly well in advance that law enforcement would be very interested in “whodunnit.”

Curiously, however  – or perhaps downright foolishly – two young men claiming to represent Lizard Squad gave media interviews almost immediately after the attack.

Who is Lizard Squad?

Cybercrime journalist Brian Krebs as good as stated that one of them was a 22-year-old from the UK called Vinnie Omari.

Krebs links to two interviews: one, from BBC Radio 5, features the voice of an anonymous Lizard Squadder that sounds very much like the voice of a Sky News guest identified as “Computer security analyst Vinnie Omari.”

Now, the plot has thickened further, with the Daily Dot reporting that Mr Omari himself sent in a photo of an search warrant dated 2014-12-29:

The warrant doesn’t name Omari, of course, as it is connected to the place to be searched (which is obscured), not a person.

But the warrant does state what law enforcement are looking for:

Documentary and electronic evidence revealing email addresses, usernames, passwords, documents containing names associated with Paypal fraud [...and d]ocumentary and electronic evidence revealing email addresses, usernames, passwords, documents and data in relation to the hacking of the Playstation network and Xbox Live systems over the Christmas period

And the Daily Dot also has a photo of a bail notice, dated just after midday on 2014-12-30, naming Vinnie Omari and releasing him until his court date on 2015-03-10.

The offences listed don’t say which companies or networks were victims of the alleged crimes; instead you will find a list of that curiously-styled and dispassionate prose that appears on charge sheets:

Enter into/concerned in acquisition/retention/use or control criminal property. Fraud by false representation. [...] Conspire to steal from another. Unauthorised computer access with intent to commit other offences.

Lastly, Thames Valley Police in the UK published a press release that seems to refer to the same matter, even though Omari’s name is not mentioned:

The South East Regional Organised Crime Unit (SEROCU) has arrested a 22-year-old man from Twickenham on suspicion of fraud by false representation and Computer Misuse Act offences.

The arrest yesterday (30/12) is in connection with an ongoing investigation in to cyber fraud offences which took place between 2013 and August 2014 during which victims reported funds being stolen from their PayPal accounts.

The arrested man was released on bail until 10 March.

The bottom line

Have the cops busted one of the Lizard Squad?

You’d have to say, “Looks like it.”

Of course, we have no idea if he is connected in any way with any of the alleged crimes: that’s a matter for the court.

But Mark Stockley’s prediction for 2015, in the abovementioned podcast, came true on the very first day of the New Year:

I suspect we're going to be hearing a lot more about Lizard Squad in 2015, in the same way, a few years ago, we heard a great deal about Lulzsec.

As Mark reminded us, a search for Lulzsec on Naked Security reveals very quickly that things did not end well for that group, even though they claimed to have been hacking just for….well, for lulz.

Listen to more

To hear our discussion of the “Lizard Squad” situation, why not listen to the Sophos Security Chet Chat 179 podcast?

The Lizard Squad segment starts at 9’15”:

(Audio player above not working? Download the MP3, or listen on Soundcloud.)

Image of lizard courtesy of Shutterstock.

Leave a Reply

Your email address will not be published. Required fields are marked *