Fairground game
Fairground game

Hackers in Turkey have come up with a bizarre loyalty scheme that gives other hackers points if they help out in DDoS attacks. These points can then be turned into prizes.

Turkey was identified as the most DDoSed country in the world in 2015, according to a report by NexusGuard.

The scheme was discovered by researchers at Forcepoint. The platform, known as "Sath-ı Müdafaa," which translates to "Surface Defence” in Turkish, allows participants to earn points if they carry out DDoS attacks against certain websites. Roughly, participants get one point for every 10 minutes of DDoS attacks carried out. These points can be traded in for “prizes”, such as  software to enable them to perform “click fraud”.

Many of these websites are political in nature, as set out in a list of pre-defined targets. Many website are linked to the Kurdistan Workers Party (PKK), its military wing, the People's Defence Force (HPG) as well as Kurdish radio and TV stations. The list also includes the German Christian Democratic Party, The People's Democratic Party of Turkey and the Armenian Genocide Archive. Hackers are also encouraged to submit proposals for attacking websites not currently on the list.

Participants must download a tool called Balyoz, which translates to "Sledgehammer". Forcepoint noted that this tool has a backdoor which only activates if the participant stops contributing to hacking efforts.

“The backdoor is a very small Trojan and its sole purpose is to download, extract and execute another .NET assembly from within a bitmap image. It also downloads a secondary ‘guard' component which it installs as a service. This ‘guard' component ensures that if the backdoor is deleted then it will be re-downloaded and also installed as a service,” the security firm said in a report.

Carl Leonard, principal security analyst at Forcepoint, said, “This is the first time hackers have ‘gamified' a hacking platform to the extent that participants compete against one another and can compare scores and redeem points for rewards on a single service. We believe that those behind Sledgehammer are in the participant acquisition phase and are trying to reach a critical mass.”

Travis Smith, senior security research engineer at Tripwire told SC Media UK that gamification is a tactic which can boost engagement by luring participants into an otherwise uninteresting activity.  

“With the rise of cyber-crime offered as a service, it's not surprising to see gamification be included to entice folks to launch their attacks.  While a criminal can generate revenue from being hired to launch an attack, there are costs associated with actually launching the attack.  Using gamification to lure individuals to launch attacks can reduce the cost of the attack and increase potential profits,” he said.

Tony Rowan, chief security consultant at SentinelOne, told SC that the aggregation of attacks by recruiting willing agents is nothing especially new.  

“We've seen the approach used before for positive research, too – consider the SETI programme and the cancer gene research project plus many others,” he said.

“Creating and farming a botnet using system infections can be a time-consuming approach so the idea of recruiting willing agents would seem attractive.  Add to that, the fact that the downloaded agent has the facility to backdoor the system and you have a low friction, low maintenance DDoS campaign that can then lead to other uses. By offering the points incentive, they are much more likely to get the widespread adoption amongst their target demographic.”