Brian Krebs is one of the most talented cybersecurity journalists out there. Krebs, who frequently writes about emerging forms of Internet crimes, was the subject of a frightening attack last week. Fairfax County, Virginia, police received a spoofed 911 call from Krebs’ phone and flooded his property with a SWAT team. SWATing is a new practice in which cybercriminals and pranksters use sophisticated technology to spoof 911 calls from a victim’s home or mobile phone. Cops then come out, guns blazing, fearing a horrible crime is about to unfold.
Unknown hackers called 911 using a fake phone number that matched Krebs’ mobile. The caller claimed to be Krebs, and said that Russian thieves had broken into his home and shot his wife. A SWAT team was then dispatched to Krebs’s home, which Krebs discovered to his surprise when he opened his door to do some home repairs and found police pointing their guns at him.
In an interview with Ars Technica’s Dan Goodin, Krebs said that he had alerted Fairfax Police several months prior that someone might try to spoof a 911 call from his house–several stories he had written angered groups which employ the practice. However, Krebs did not answer calls from the police to his house because he was preparing to have guests over for dinner.
“I knew immediately from the minute I saw the policemen behind the car what had happened […] You don’t argue with someone who’s pointing a gun. You don’t argue when the police show up with overwhelming force. You just do what you’re told and explain it later,” Krebs said. He was released after approximately five minutes in custody.
The SWAT team attack on Krebs home followed a large denial of service attack on his blog. Shortly after the Ars Technica interview was published, they were hit by a DDoS attack as well. The same day, Prolexic, a security company Krebs uses to protect his site, received a fake letter from the FBI claiming Krebs’s site hosted illegal content. Although Krebs did not name who he believes was behind the attack, the fake FBI letter contained multiple references to a Russian site which sells access to Social Security numbers and credit reports on the underweb; Krebs believes a separate Taiwanese site may have been involved.
Spoofing fake 911 calls is relatively easy and requires little technical knowledge; it is more difficult to prank a 911 operator convincingly than to obtain and spoof someone’s real phone number. In other words, it’s shockingly easy to do. A 12-year-old boy recently tricked SWAT teams into raiding the homes of Justin Bieber and Ashton Kutcher; a group of Texans also fooled SWAT teams across the country into raiding people’s homes for fun in 2007.
Participants were chosen based on their involvement on telephone party lines; the phone phreakers then mined consumer reporting info, pizza delivery records, and newspaper archives to find out detailed information on their victims. Using that information, the criminals then called police reporting phony hostage and child abuse situations at the victims’ homes.
[Image: Oregon Department of Transportation]