A Melbourne web domain kingpin has received death threats after he blew the lid on emerging fraud campaigns.
Attackers warned Michael Gilmour that he would be killed unless he removed a series of blog articles that warned domain name buyers of a new scam sweeping the industry.
Ten days ago, a large denial of service attack from a global botnet slammed into Gilmour’s personal blog, where the articles were posted, and his business website. Both have remained under attack and offline.
Gilmour shrugged off the attacks until he noticed the death threats embedded as URLs in the attack logs.
"I have family, I have children, and employees that need to be protected," Gilmour said.
The most recent threat read “http://lastwarning-shutdown-yourblog-or-die-withyourparklogic.com”.
Park Logic was Gilmour’s domain parking company that hosted half a million domain names.
Federal cyber crime investigators within the Attorney-General’s Computer Emergency Response Team (CERT) were hunting the command and control servers used in the attacks.
Those servers used hacked computers in the Ukraine, China and India among others to attack Gilmour’s sites and issue death threats.
Forensic experts in the United States Secret Service were also investigating the attacks because some servers were located on American soil.
"They consider the attacks to be against US soil."
Victoria Police refered the case to the Attorney-General's Department and the Secret Service after insisting that Gilmour take the threats seriously.
Gilmour wore the initial attacks as a badge that validated his investigation of the domain scams.
“The threat said shut the **** up, or something to that effect, which wasn’t serious,” he said.
In a series of blog posts, now offline, Gilmour revealed scammers were purchasing parking accounts from legitimate domain operators to defraud advertisers.
Fraudsters would pump torrents of fraudulent botnet traffic through the sites, advertisers would pay for the traffic and the scammers would cut and run with the cash.
Gilmour published phishing emails that he received from scammers asking to buy into parked accounts. He also warned that mules were used to buy accounts on behalf of fraudsters known to the industry.
“I wanted to warn the community so they didn’t get caught out,” he said. “Then they got upset with me and took it out on by blog.”
Days later, the attacks swung from Gilmour's personal blog to Park Logic. He took defensive measures, purchasing a service from Cloud Fire specifically designed to block denial of service attacks and engaging with Chicago-based hosting provider Layer Tech, which blocked the offending IP address ranges.
A game of cat and mouse ensued, and continues. Scammers would change their origin of attack to evade blocking and Gilmour would respond in kind.
In the last hour, the attacks have moved to Indonesia where some 28,000 unique IP addresses are attacking his sites every few minutes.
During his interview with SC, Gilmour logged in to his beleaguered website and cut links to Indonesia.
He immediately informed his customers when the attacks hit Park Logic, and established alternative means for them to access services without being impacted.
After notifying his provider and customers, Gilmour began to tinker with the index file of the attacked Apache server.
He found that malicious requests entered the site through its HTML landing page, so he replaced the index with a small text file and redirected visitors to the blog's original php index.
Tinkering aside, Gilmour considered the attacks a symptom of the endemic lawlessness of the internet and failures of law enforcement to defend its users.
“I can buy a botnet for a buck a day and put anyone out of business," he said. “Governments have done nothing over the last 10 years to this clear and present danger, save for some posturing.”