Distributed breaking-and-entering: novel uses of Craigslist


It’s a common observation that crime online mirrors crime in real life. Fraudsters and hucksters of all stripes have been working at parting people from their money long before the Internet was designed/invented. Organized crime set up shop online, exploiting the new medium for new ways to accomplish same objectives with greater efficiency and lower risk. Identity theft, extortion, pump-and-dump stock trading, pyramid schemes etc. were not new but the web expanded their reach and impact dramatically. (It turns out that all the talk about “economies of scale” and synergies and enabled by a connected world is not limited to legitimate business only.)

But from Tacoma comes this story of influence going in the other direction: bricks-and-mortar crime inspired by its high-tech counterparts. Somebody posted a bogus ad on Craiglist to the effect that a house was abandoned and everything inside was free for the taking. Only it was not abandoned and the owner quite understandably upset at discovering the residence taken to the studs upon her arrival. Quote:

“The ad was pulled quickly, she said, but was up long enough that scavengers stripped the house of its light fixtures, front door, vinyl windows, water heater and even the kitchen sink.”

This is reminiscent of distributed denial-of-service (DDoS) attacks in the online world, but with a more damaging “exploit payload.” Instead of experiencing a temporary outage, the homeowner has unrecoverable property damage. In the standard DDoS, a large collection of machines (referred to as botnet) under the control of a single person (“bot-herder”) are all instructed to focus their resources on attacking a single target. Even with no vulnerabilities on the victim system, the volume of traffic from the thousands of machines is enough to temporarily wipe a website off the map. DDoS remains a popular extortion mechanism: “pay $$$ or else your website goes dark.” Bonus points when the website being targeted is already on shaky legal ground– think online gambling or betting services— and unlikely to seek help from law enforcement.

In this bizarre story from the Pacific Northwest, an attacker with a grudge against the owner (the story cites recent eviction of her two sisters living there) used Craigslist as the command-and-control channel for manipulating people (“bot” equivalents) into doing his/her bidding. But the parallel ends there because in principle every person who participated in the looting had free-will and made a voluntary decision, even if influenced by willfully misleading information. A bot-herder is fully aware of the consequences of issuing an attack order to his/her collection of machines– the PCs have no choice but to carry out the attack once the trigger is pulled. But the anonymous Craigslist poster can argue that it was a prank, that every person made a conscious, independent decision to break-and-enter or remove property from the premises.

Craigslist provided IP address and email for the person who posted the ad, but the question of which charges to file remains. Quote:

Detective Gretchen Ellis, a spokeswoman for Tacoma police, said that, because the case is so unusual, she isn’t sure how it will be investigated or prosecuted.

It is going to be an interesting court case– assuming the suspect is ever apprehended.

cemp

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s