Did your UK biz just pay £1,500 to stop a DDoS? You've been had

What kind of a grifter pretends he's going to DDoS you? The kind that easily makes off with a lot of cash, it seems. "Hackers" who have been making empty DDoS threats while posing as the Armada Collective appear to have have moved on.

No, they didn't stop scamming people, they just changed their modus operandi: they're now pretending to come from Lizard Squad.

El Reg has been forwarded an example of a threatening email ostensibly from the Lizard Squad sent to a well-known UK museum. A source in the security response community told us that it is seeing similar threats which are never followed up.

Both requested we leave out their name out of any story.

CloudFlare recently warned that blackmailed organisations paid more than $100k to grifters who posed as the notorious Armada Collective group without actually attacking anyone, as previously reported.

Shakedown targets were warned to hand over 10 Bitcoins (around $4,500, £3,100) or else risk seeing their businesses taken offline before facing an escalating series of extortionate demands. But the Bitcoin payment address for the series of scam emails was the same every time so fraudsters would have been unable to tell which targets paid up, according to CloudFlare.

CloudFlare reckons more than 100 companies have received threatening emails but has concluded - after conferring with other DDoS mitigation vendors - that no attacks actually took place.

Cold blooded con

The “Lizard Squad” threats appear to follow the same pattern, except for the more modest initial extortionate demand of 5 Bitcoins ($2,200, £1,500). This demand increases by 5 Bitcoins for each day that it goes unpaid, according to a the particular threatening email seen by El Reg. Last week Action Fraud warned that an unspecified number of businesses had received the same threat.

Action Fraud, the UK’s national fraud and reporting centre, an operation run by the City of London police, does not say whether or not the demands are genuine. Nor does it say that threats are named under the guise of the “Lizard Squad”. Instead Action Fraud restricts itself to firmly advised targets not to pay up as well as asking victims to keep server logs in the event that they are attacked.

The organisation who alerted us to the latest run of DDoS extortion threats was warned that an attacks against its systems would begin on 3 May. There’s no external evidence that anything happened on Tuesday.

Based on this and what our security response source tells us, it seems likely that we are dealing with a second run of empty threats, possibly from the same group of faux DDoS varmints.

Lizard Squad infamously attacked the global Xbox and Playstation gaming networks in the immediate run up to Christmas 2014 before launching a DDoS-for-hire service shortly afterwards. The Armada Collective group made its mark last year with a series of distributed denial of service (DDoS) attacks on webmail providers who refused to pay them a protection fee. Suspects alleged to be members of both groups have been arrested and are being prosecuted.

Someone seems to be trading off the notorious reputation of both groups with evidently convincing (for some at least) but empty threats. Further scams along the same lines - as well as real DDoS extortion threats - can be expected in future. ®