Dec 29 2017

Krebs on Security 2017-12-29 17:17:36

A 28-year-old Kansas man was shot and killed by police officers on the evening of Dec. 28 after someone fraudulently reported a hostage situation ongoing at his home. The false report was the latest in a dangerous hoax known as “swatting,” wherein the perpetrator falsely reports a dangerous situation at an address with the goal of prompting authorities to respond to that address with deadly force. This particular swatting reportedly originated over a $1.50 wagered match in the online game Call of Duty. Compounding the tragedy is that the man killed was an innocent party who had no part in the dispute.

The following is an analysis of what is known so far about the incident, as well as a brief interview with the alleged and self-professed perpetrator of this crime.

It appears that the dispute and subsequent taunting originated on Twitter. One of the parties to that dispute — allegedly using the Twitter handle “SWauTistic” — threatened to swat another user who goes by the nickname “7aLeNT“. @7aLeNT dared someone to swat him, but then tweeted an address that was not his own.

Swautistic responded by falsely reporting to the Kansas police a domestic dispute at the address 7aLenT posted, telling the authorities that one person had already been murdered there and that several family members were being held hostage.

Image courtesey @mattcarries

A story in the Wichita Eagle says officers responded to the 1000 block of McCormick and got into position, preparing for a hostage situation.

“A male came to the front door,” Livingston said. “As he came to the front door, one of our officers discharged his weapon.”

“Livingston didn’t say if the man, who was 28, had a weapon when he came to the door, or what caused the officer to shoot the man. Police don’t think the man fired at officers, but the incident is still under investigation, he said. The man, who has not been identified by police, died at a local hospital.

“A family member identified that man who was shot by police as Andrew Finch. One of Finch’s cousins said Finch didn’t play video games.”

Not long after that, Swautistic was back on Twitter saying he could see on television that the police had fallen for his swatting attack. When it became apparent that a man had been killed as a result of the swatting, Swautistic tweeted that he didn’t get anyone killed because he didn’t pull the trigger (see image above).

Swautistic soon changed his Twitter handle to @GoredTutor36, but KrebsOnSecurity managed to obtain several weeks’ worth of tweets from Swautistic before his account was renamed. Those tweets indicate that Swautistic is a serial swatter — meaning he has claimed responsibility for a number of other recent false reports to the police.

Among the recent hoaxes he’s taken credit for include a false report of a bomb threat at the U.S. Federal Communications Commission (FCC) that disrupted a high-profile public meeting on the net neutrality debate. Swautistic also has claimed responsibility for a hoax bomb threat that forced the evacuation of the Dallas Convention Center, and another bomb threat at a high school in Panama City, Fla, among others.

After tweeting about the incident extensively this afternoon, KrebsOnSecurity was contacted by someone in control of the @GoredTutor36 Twitter account. GoredTutor36 said he’s been the victim of swatting attempts himself, and that this was the reason he decided to start swatting others.

He said the thrill of it “comes from having to hide from police via net connections.” Asked about the FCC incident, @GoredTutor36 acknowledged it was his bomb threat. “Yep. Raped em,” he wrote.

“Bomb threats are more fun and cooler than swats in my opinion and I should have just stuck to that,” he wrote. “But I began making $ doing some swat requests.”

Asked whether he feels remorse about the Kansas man’s death, he responded “of course I do.”

But evidently not enough to make him turn himself in.

“I won’t disclose my identity until it happens on its own,” the user said in a long series of direct messages on Twitter. “People will eventually (most likely those who know me) tell me to turn myself in or something. I can’t do that; though I know its [sic] morally right. I’m too scared admittedly.”

Update, 7:15 p.m.: A recording of the call to 911 operators that prompted this tragedy can be heard at this link. The playback of the recorded emergency calls starts around 10 minutes into the video.

Update, Dec. 30, 8:06 a.m. ET: Police in Los Angeles reportedly have arrested 25-year-old Tyler Raj Barriss in connection with the swatting attack.


As a victim of my own swatting attack back in 2013, I’ve been horrified to watch these crimes only increase in frequency ever since — usually with little or no repercussions for the person or persons involved in setting the schemes in motion. Given that the apparent perpetrator of this crime seems eager for media attention, it seems likely he will be apprehended soon. My guess is that he is a minor and will be treated with kid gloves as a result, although I hope I’m wrong on both counts.

Let me be crystal clear on a couple of points. First off, there is no question that police officers and first responders across the country need a great deal more training to bring the number of police shootings way down. That is undoubtedly a giant contributor to the swatting epidemic.

Also, all police officers and dispatchers need to be trained on what swatting is, how to spot the signs of a hoax, and how to minimize the risk of anyone getting harmed when responding to reports about hostage situations or bomb threats. Finally, officers of the peace who are sworn to protect and serve should use deadly force only in situations where there is a clear and immediate threat. Those who jump the gun need to be held accountable as well.

But that kind of reform isn’t going to happen overnight. Meanwhile, knowingly and falsely making a police report that results in a SWAT unit or else heavily armed police response at an address is an invitation for someone to get badly hurt or killed. These are high-pressure situations and in most cases — as in this incident — the person opening the door has no idea what’s going on. Heaven protect everyone at the scene if the object of the swatting attack is someone who is already heavily armed and confused enough about the situation to shoot anything that comes near his door.

In some states, filing a false police report is just a misdemeanor and is mainly punishable by fines. However, in other jurisdictions filing a false police report is a felony, and I’m afraid it’s long past time for these false reports about dangerous situations to become a felony offense in every state. Here’s why.

If making a fraudulent report about a hostage situation or bomb threat is a felony, then if anyone dies as a result of that phony report they can legally then be charged with felony murder. Under the doctrine of felony murder, when an offender causes the death of another (regardless of intent) in the commission of a dangerous crime, he or she is guilty of murder.

Too often, however, the perpetrators of these crimes are minors, and even when they’re caught they are frequently given a slap on the wrist. Swatting needs to stop, and unfortunately as long as there are few consequences for swatting someone, it will continue to be a potentially deadly means for gaining e-fame and for settling childish and pointless ego squabbles.

Dec 29 2017

Sublist3r – Fast Python Subdomain Enumeration Tool

Sublist3r – Fast Python Subdomain Enumeration Tool

Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.

It also integrates with subbrute for subdomain brute-forcing with word lists.

Features of Sublist3r Subdomain Enumeration Tool

It enumerates subdomains using many search engines such as:

  • Google
  • Yahoo
  • Bing
  • Baidu
  • Ask

The tool also enumerates subdomains using:

  • Netcraft
  • Virustotal
  • ThreatCrowd
  • DNSdumpster
  • ReverseDNS

Requirements of Sublist3r Subdomain Search

It currently supports Python 2 and Python 3.

Read the rest of Sublist3r – Fast Python Subdomain Enumeration Tool now! Only available at Darknet.

Dec 29 2017

Krebs on Security 2017-12-29 11:29:37

Eight years ago today I set aside my Washington Post press badge and became an independent here at What a wild ride it has been. Thank you all, Dear Readers, for sticking with me and for helping to build a terrific community.

This past year KrebsOnSecurity published nearly 160 stories, generating more than 11,000 reader comments. The pace of publications here slowed down in 2017, but then again I have been trying to focus on quality over quantity, and many of these stories took weeks or months to report and write.

As always, a big Thank You to readers who sent in tips and personal experiences that helped spark stories here. For anyone who wishes to get in touch, I can always be reached via this site’s contact form, or via email at krebsonsecurity @ gmail dot com.

Here are some other ways to reach out:

Twitter (open DMs)


via Wickr at “krebswickr”

Protonmail: krebsonsecurity at protonmail dot com


Below are the Top 10 most-read stories of 2017, as decided by views and sorted in reverse chronological order:

The Market for Stolen Account Credentials

Phishers are Upping Their Game: So Should You

Equifax Breach Fallout: Your Salary History

USPS’ Informed Delivery is a Stalker’s Dream

The Equifax Breach: What You Should Know

Got Robocalled? Don’t Get Mad, Get Busy

Why So Many Top Hackers Hail from Russia

Post-FCC Privacy Rules: Should You VPN?

If Your iPhone is Stolen, These Guys May Try to iPhish You

Who is Anna-Senpai, the Mirai Worm Author?

Dec 28 2017

Krebs on Security 2017-12-28 11:36:55

Dec. 18 marked the fourth anniversary of this site breaking the news about a breach at Target involving some 40 million customer credit and debit cards. It has been fascinating in the years since that epic intrusion to see how organized cyber thieves have shifted from targeting big box retailers to hacking a broad swath of small to mid-sized merchants.

In many ways, not much has changed: The biggest underground shops that sell stolen cards still index most of their cards by ZIP code. Only, the ZIP code corresponds not to the legitimate cardholder’s billing address but to the address of the hacked store at which the card in question was physically swiped (the reason for this is that buyers of these cards tend to prefer cards used by people who live in their geographic area, as the subsequent fraudulent use of those cards tends to set off fewer alarm bells at the issuing bank).

Last week I was researching a story published here this week on how a steep increase in transaction fees associated with Bitcoin is causing many carding shops to recommend alternate virtual currencies like Litecoin. And I noticed that popular carding store Joker’s Stash had just posted a new batch of cards dubbed “Dynamittte,” which boasted some 7 million cards advertised as “100 percent” valid — meaning the cards were so fresh that even the major credit card issuers probably didn’t yet know which retail or restaurant breach caused this particular breach.

An advertisement for a large new batch of stolen credit card accounts for sale at the Joker’s Stash Dark Web market.

Translation: These stolen cards were far more likely to still be active and useable after fraudsters encode the account numbers onto fake plastic and use the counterfeits to go shopping in big box stores.

I pinged a couple of sources who track when huge new batches of stolen cards hit the market, and both said the test cards they’d purchased from the Joker’s Stash Dynamittte batch mapped back to customers who all had one thing in common: They’d all recently eaten at a Jason’s Deli location.

Jason’s Deli is a fast casual restaurant chain based in Beaumont, Texas, with approximately 266 locations in 28 states. Seeking additional evidence as to the source of the breach, I turned to the Jason’s Deli Web site and scraped the ZIP codes for their various stores across the country. Then I began comparing those ZIPs with the ZIPs tied to this new Dynamittte batch of cards at Joker’s Stash.

Checking my work were the folks at, a threat intelligence startup in California that monitors Dark Web marketplaces and tries to extract useful information from them. Mindwise found a nearly 100 percent overlap between the ZIP codes on the “Blasttt-US” unit of the Dynamittte cards for sale and the ZIP codes for Jason’s Deli locations.

Reached for comment, Jason’s Deli released the following statement:

“On Friday, Dec. 22, 2017, our company was notified by payment processors – the organizations that manage the electronic connections between Jason’s Deli locations and payment card issuers – that MasterCard security personnel had informed it that a large quantity of payment card information had appeared for sale on the ‘dark web,’ and that an analysis of the data indicated that at least a portion of the data may have come from various Jason’s Deli locations.”

“Jason’s Deli’s management immediately activated our response plan, including engagement of a leading threat response team, involvement of other forensic experts, and cooperation with law enforcement. Among the questions that investigators are working to determine is whether in fact a breach took place, and if so, to determine its scope, the method employed, and whether there is any continuing breach or vulnerability.”

“The investigation is in its early stages and, as is typical in such situations, we expect it will take some time to determine exactly what happened. Jason’s Deli will provide as much information as possible as the inquiry progresses, bearing in mind that security and law enforcement considerations may limit the amount of detail we can provide.”

It’s important to note that the apparent breach at Jason’s Deli almost certainly does not correspond to 7 million cards; typically, carding shop owners will mix cards stolen from multiple breaches into one much larger batch (Dynamittte), and often further subdivide the cards by region (US vs. European cards).

As run-of-the-mill as these card breaches have become, it’s still remarkable even in smaller batches of cards like those apparently stolen from Jason’s Deli customers just how many financial institutions are impacted with each breach.

Banks impacted by the apparent breach at Jason’s Deli, sorted by Bank ID Number (BIN) — i.e. the issuer identified by the first six digits in the card number.

Mindwise said it was comfortable concluding that at least 170,000 of the cards put up for sale this past week on Joker’s Stash map back to Jason’s Deli locations. That may seem like a drop in the bucket compared to the 40 million cards that thieves hauled away from Target four years ago, but the cards stolen from Jason’s Deli customers were issued by more than 250 banks and credit unions, most of which will adopt differing strategies on how to manage fraud on those cards.

In other words, by moving down the food chain to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target) — and by mixing cards stolen from multiple breaches — the fraudsters have made it less likely that breaches at chain stores will be detected and remediated quickly, thereby prolonging the value and use of the stolen cards put up for sale in underground marketplaces.

All that said, it’s really not worth it to spend time worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.

Just remember that although consumers are not liable for fraudulent charges, it may still fall to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.

Related reading (i.e., other breach stories confirmed with ZIP code analysis):

Breach at Sonic Drive-in May Have Impacted Millions of Credit, Debit Cards

Zip Codes Show Extent of Sally Beauty Breach

Data: Nearly All U.S. Home Depot Stores Hit

Cards Stolen in Target Breach Flood Underground Markets