Video: Cybercriminals manipulate search results to raid bank accounts
Netherlands police's high-tech crime unit has arrested an 18-year-old man on suspicion of launching distributed denial-of-service (DDoS) attacks on the Dutch tax authority, tech site Tweakers, and internet service provider Tweak.
The police said the teenager, known only as 'Jelle S', is also suspected of attacking the online bank Bunq. There is as yet no official word on whether these attacks are tied to those on large Netherlands banks ABN Amro, Rabobank, and ING Bank.
However, security researchers believe it's all down to the same individual. The large banks and the tax authority were all hit at the end of January, prompting a great deal of speculation over the identity of the attackers.
Many suggested that Russians were responsible, as the attacks came shortly after it emerged that Dutch intelligence had watched Russian hackers attack the Democratic Party in the US, in the run-up to the 2016 election.
Bunq was hit long before this recent wave of attacks -- back in September, when the police began their investigation.
In a bizarre twist, it seems that an 18-year-old called J turned himself in to Bunq four months ago, and the startup decided to overlook his "youthful sin" on the condition that he did a week's unpaid community work for Amnesty International.
On Monday, Bunq said Jelle S was the prime suspect in the investigation into the bank's targeting from September.
Image: Tweakers
"By studying the attack patterns and researching certain sets of IP addresses, we quickly found a suspect," Bunq told ZDNet.
"Because of our good ties to the IT community, we got some helpful insights from people who had their suspicions and had heard some chatter. Once it was clear that both our own investigation, as well as the noises we heard, pointed to the same person, it was clear to us."
In a statement, the police said they worked closely with Bunq, Tweakers, and the security firm Redsocks as they tried to catch the culprit.
Free download: IT leader's guide to reducing insider security threats
"With this arrest, we show that people who commit DDoS attacks do not go unpunished," said division chief Gert Ras. "It is still being investigated whether there is a link to the recent DDoS attacks on other large financial service providers."
Rickey Gevers, a security researcher at Redsocks, told ZDNet that the firm has gathered digital evidence suggesting one person is behind both waves of attacks.
Gevers highlighted two pieces of evidence linking the ABN Amro and ING attacks: all the attacks came in at the same volume of 40Gbps to 50Gbps; and the attacker used an email address with the phrase "ddos-banks".
"It's often easy to track teenagers down for this type of attack," Gevers said.
On Tuesday, Tweakers published a detailed account of what happened on its side of the investigation, based on the experiences of company system administrator Kees Hoekzema.
Hoekzema first noticed something was up on January 29, when he saw someone had hit Tweakers with a 25Gbps attack the night before. Then came a second attack, at more than 40Gbps. And then another brief attack, this time on Tweakers' backup location rather than its main site.
The sysadmin then realised, after judging the timing of attacks relative to his posts about earlier attacks on Twitter, that the attacker was probably watching him. His suspicions were confirmed when someone subtly calling himself 'DDoS' emailed him to say it wasn't the Russians. The message came via the encrypted email service ProtonMail.
Hoekzema then tweeted that he was going to try watching Netflix. An attack followed, so he used a tweet to ask the attacker to stop, which he did. The process was repeated. Then Hoekzema mentioned in a tweet that no one was being bothered by the attack other than users of Tweakers' IRC chat channel.
A couple minutes later, someone logged into the channel using the DDos nickname. In the ensuing conversation, DDoS said he had spent €40 ($49) on a 'stresser' attack on Tweaker, and insisted that he had been behind all the recent Dutch attacks.
After the conversation, Hoekzema realised that his correspondent had logged into the Tweakers IRC channel via its web client, rather than using a separate IRC client, so he was able to look up the IP address of the VPN that DDoS had used.
The same IP address had also been used to check unread notifications on the Tweakers site, which meant the user had an account there.
Searching through log files, Hoekzema saw that someone had submitted 15 new tips about the attacks to Tweakers -- which is something only logged-in members can do. So, even though the session ID was anonymous, it could be linked to that account. The name on the account also corresponded to that on a Twitter profile that had recently followed Hoekzema.
"I've got him," Hoekzema emailed his colleagues, according to Tweakers' account of the incident.
If Jelle S is convicted, he faces up to six years behind bars.
Previous and related coverage
DDoS mystery: Who's behind this massive wave of attacks targeting Dutch banks?
The attackers and their motives for concerted attacks on Netherlands finance institutions remain unknown.
DDoS attack leaves Dutch websites offline for hours
A number of Dutch government websites went dark yesterday after an online assault.
Read more on cybercrime
Read More