Google’s Project Shield is also safeguarding this individual who’s exposing the robbers of Venezuela https://t.co/GndJyeqSFT
— briankrebs (@briankrebs) 28 February 2017
This article was meant to be shared on infodio.com. Clearly, my satisfaction about overcoming the DDoS attack was premature… Please see updates at bottom.
It’s been a hectic week. While I was talking to a source in Caracas recently, I noticed that this site was offline. I reached out to my web host (kudos to the fantastic team at LeaseWeb), and was informed that – yet another – DDoS attack had been launched against us. This is the third time a DDoS attack has targeted my websites: once at vcrisis.com and twice at infodio.com.
This is what it looked like this morning…
I have to wonder, of course, about the motives. Why would anyone aim to stop the public from learning about the content I share? Is it due to our exposure of Venezuela’s widespread corruption? For those who aren’t familiar with the situation, Venezuela is a Spanish-speaking nation of about 30 million people. After 17 years of chavista rule, it stands as a failed nation in every sense. However, this site is not geared towards a Venezuelan reader; it aims to inform the broader world about who’s who in the Boliburgeoisie, a new, incredibly wealthy, and equally inept class of ‘businessmen’ that flourished under Hugo Chavez’s so-called socialist revolution. We discuss figures like the Alejandro Betancourts, the Juan Carlos Escotets, the Victor Vargas, and Luis Obertos. We explore the origins of their newfound wealth, track their operations worldwide, and expose those who enable and support them, like Adam Kaufmann, Glenn Simpson, Al Cardenas, or even Baltazar Garzon. We illuminate their dealings in Africa, Europe, Russia, Asia — in short, we shed light on their typically murky world.
It is, therefore, expected that such work would invoke the wrath of vile, resourceful thugs (dirty money is welcomed just about everywhere these days). Engaging with this crowd exposes us to very dangerous vendettas. They operate in a world without barriers, crossing borders effortlessly. They jet around the globe, one day enjoying cuisine from Heston Blumenthal, the next sharing drinks with Roman Abramovich in St. Barths, and the next mingling with ex-WSJ reporters, former Manhattan prosecutors, and leaders from the GOP, often rubbing shoulders with the elite in London. Their reach knows no limits. A raid in London can be easily orchestrated from Caracas without a thought of capture. That’s the type of individuals this site confronts.
The most recent attack appears to originate from Russia, specifically from an IP address controlled in Russia (191.96.249.70). A weakness in the WordPress blogging platform allows the pingback method to be exploited for DDoS attacks (details here). Essentially, someone leverages that weakness to ping a target website. After examining my server logs, I observed this pattern:
«GET / HTTP/1.1» 200 32295 «http://infodio.com/» «WordPress/4.7.2; https://www.customescaperoom.com; verifying pingback from 191.96.249.70»
«GET / HTTP/1.1» 200 32293 «http://infodio.com/» «WordPress/4.6.3; http://www.toptasting.com; verifying pingback from 191.96.249.70»
«GET / HTTP/1.0» 200 145833 «-» «WordPress/4.0.15; http://wisecleaner.online; verifying pingback from 191.96.249.70»
When those requests are made thousands of times per second, servers can collapse from the surging traffic, exactly what happened with mine. Thousands of such requests, along with POST and HEAD requests, were initiated from servers globally.
However, IP 191.96.249.70, like any others, is linked to a host provider, in this instance DMZHOST.CO. That domain, like all others, is registered by someone, in this case, a Christian P, with an address in the Seychelles strikingly similar to that of Mossack Fonseca (Oliaji Trade Centre, Francis Rachel Street, Victoria Mahe, Seychelles).
Every domain must have a responsible person or organization. Initially, DMZHOST.CO listed Dmzhost Limited as its responsible party but seems to have transferred control to JUPITER 25 LIMITED. A search for Jupiter brings us to 35 Firs Avenue, N11 3NE, London, United Kingdom. It’s worth noting that in the previous link, there’s a [email protected] as a contact for Jupiter. Could this be the same individual as Christian P in the Seychelles?
Hundreds of companies are registered at 35 Firs Avenue. According to Companies House data, Darren Symes is Jupiter’s director, associated with over 200 companies. Other investigators of similar attacks have commented on DMZHOST in the recent past:
“Bulletproof hosting” providers like DMZHOST offer VPSs claiming to be beyond the reach of Western law enforcement. DMZHOST markets its services as offering “offshore” VPSs in a “Secured Netherland datacenter privacy bunker” and “does not store any information / Log about user activity.” Simultaneously, DMZHOST’s terms of service are notably brief: “DMZHOST does not permit anything (related) to the following content: – DDoS – Childporn – Bank Exploit – Terrorism – NO NTP – NO Email SPAM”.
Further review of IP 191.96.249.70 and Jupiter 25 Limited shows their DNS servers are managed by another London-based company: Host1Plus, which seems to be a trading name for Digital Energy Technologies Ltd.
Bitcoin payments to obscure the identities of the ultimate culprits are readily accepted by both DMZHOST and Host1Plus. I tweeted to Host1Plus’ Vincentas Grinius, but received a ludicrous response that avoided the DDoS question altogether.
I also emailed [email protected] and received a prompt reply requesting logs. Chris sends emails from around Pavia in Italy (93-36-187-144.ip61.fastwebnet.it). He claims the server used for the DDoS attack “has been shut down,” yet he refuses to disclose who utilized the server, who paid for the server services, or provide his or his client’s full identity. If he ever fully identifies himself and gives proper explanations regarding the utilization of his platform for this DDoS against my site*, I will include his remarks here, though I hold little hope: while urging him to reconsider, my inbox was inundated with spam (see below) after my third email to Chris. Therefore, the server “has been shut down,” indeed, but the attack has transformed…
Despite claims to the contrary, queries per second peaked moments after
contacting [email protected] as per Project Shield’s data.
Not everything has been negative, though. Following Brian Krebs enduring the largest DDoS attack I’ve ever read about, I remember learning how Google came to his aid. I connected through Twitter with Nicholas Platt, Digital Media Producer of Jigsaw, a technology incubator by Alphabet (Google’s parent company), and received an invite to join Project Shield, the Google platform that thwarted Krebs’ attackers. I will always be thankful for this. My hosting provider, LeaseWeb, also deserves my heartfelt thanks: instead of dismissing me – after all, the attack caused significant disruption and man hours to rectify, Tom, Reece, and Bagata maintained their Dutch composure and were incredibly supportive.
Cybercriminals are growing bolder every day, although I doubt they will ever match Google’s computational power. The silver lining is that due to the recent DDoS attack, no amount of stolen Venezuelan funds will ever bring this site down again. It’s still unclear which of the thugs we regularly expose is behind the latest attack, but we will continue to investigate, expose, and illuminate corruption and the Boliburgeoisie. Recent findings have put an end to the no-bid contracts awarded to Derwick, Charles Henry de Beaumont’s unseemly dealings with Oberto and other thugs in the Caribbean, and the direct connections between corrupt chavistas and their favored contractors, etc.
* Right after questioning [email protected] this afternoon, a DDoS attack against infodio.com was relaunched, bringing along a massive spam influx to my inbox. Chris asserts that neither he nor his company instigated the DDoS attack, adding that he “could assist in mitigating ALL attacks. We are skilled at mitigating attacks since we too receice a lot of attacks” (sic)
Further investigations show that Chris’ UK proxy, Darren Symes, has had a colorful past representing other scam artists linked to Claremont Partnerships and Noble Rock Partners.
UPDATE 25.02.2017 13:38GMT: My server logs are providing more insights into the nature of the attack. Project Shield’s visits began yesterday morning:
104.196.28.249 – – [24/Feb/2017:10:26:29 +0100] «GET / HTTP/1.1» 200 146265 «-» «Mozilla/5.0 (compatible; ProjectShield-UrlCheck; +http://g.co/projectshield)»
This persisted, relatively uninterrupted, until early afternoon, combined with spidering by Google bots, etc.:
35.184.90.184 – – [24/Feb/2017:14:24:36 +0100] «GET / HTTP/1.1» 200 146265 «-» «Mozilla/5.0 (compatible; ProjectShield-UrlCheck; +http://g.co/projectshield)»
Then the following occurred:
104.155.70.96 – – [24/Feb/2017:14:26:09 +0100] «GET / HTTP/1.1» 200 145833 «-» «WordPress/4.4.2; http://jazzjackrabbit.org; verifying pingback from 191.96.249.54»
104.199.6.69 – – [24/Feb/2017:14:26:09 +0100] «GET / HTTP/1.1» 200 32299 «http://infodio.com/» «WordPress/4.7.2; https://www.virtualsunburn.com; verifying pingback from 191.96.249.54»
104.199.61.249 – – [24/Feb/2017:14:26:09 +0100] «GET / HTTP/1.1» 200 32299 «http://infodio.com/» «WordPress/4.6; http://pironsecurity.com; verifying pingback from 191.96.249.54»
At 14:24, [email protected] emailed saying:
«Do not threat since for be clear we are not who launch you the attack. And we have take immediate action suspending the server so lawfully speaking we are total ok.» (sic)
About two minutes elapsed between his “lawfully speaking we are total ok” and the renewal of the DDoS attack and more spam. Nonetheless, the IP had shifted from the previous 191.96.249.70 to 191.96.249.54, both under control of his DMZHOST company.
Email headers indicate that his email server (mail.ru) is set in a GMT +0300 time zone (Russia) and then routes through Italy’s Fastweb. His browser seems to be configured in Italian and he visited some of my sites from a Fastweb server concurrently:
I emailed [email protected], though I have low expectations for receiving a clear and suitable reply (Added: mail.ru did respond, asserting [email protected] is not a registered client despite evidence to the contrary in email headers). The spam on my inbox persists: my last email went unanswered; I assume Chris was not pleased with my confrontation regarding the details in this post (Added: eventually, a couple of emails made it into my inbox over the weekend, one from the typical @dmzhost.co address and another from [email protected], claiming “IF YOU ARE RECEIVING THIS MAIL ITS BECAUSE WE CANNOT REACH YOU FROM OUR MAIN MAIL. Please provide another mail which is not being spammed.. or skype account”).
DDoS attacks targeting the site are still hampering functionality and access, leading to five outages in the last seven days.
UPDATE 01.03.2017 07:46GMT: infodio.com has been operational for over 48 hours and is up to date.
Observing the latitude and longitude of the attacking IPs 191.96.249.70 and 191.96.249.54 in Google Maps, I discovered the location of Rosneft HQ. Further investigation reveals that Rosneft.ru shares the same latitude and longitude details as the IPs from which the DDoS attacks on my site were initiated. Given chavismo’s connections with Russian ‘state’ companies, isn’t that an astonishing coincidence?
