Take a look at how investigators traced the attacks back to him

Aug 21, 2013 08:15 GMT  ·  By
Canadian accused of using ragebooter.net to attack the systems of his former employer
   Canadian accused of using ragebooter.net to attack the systems of his former employer

Security expert Brian Krebs has another interesting cybercrime story. The main character is 28-year-old Kevin Courtois, of Three Rivers (Trois-Rivières), Quebec, Canada.

Robert Courtois was arrested in February 2013 for launching distributed denial-of-service (DDOS) attacks against the systems of his former employer, Concepta Inc., and against Xittel, a Three Rivers ISP that provided service to Concepta.

What’s interesting about this story is how investigators traced the attacks back to Courtois.

Initially, the man, whose trial is still ongoing, allegedly launched DDOS attacks against Concepta, only indirectly affecting the ISP. Later, the attacks were aimed directly at Xittel.

Robert Masse, a security consultant from Montreal, was hired by Xittel to investigate the attacks. Masse revealed his findings at the recent Black Hat conference.

So how did Masse determine that Courtois was behind the DDOS attacks against Xittel and Concepta?

First of all, Courtois had left Concepta to start his own DDOS protection services company.

Secondly, the suspect liked the Facebook page of demolitionstresser.com, a defunct booter website that directed him to ragebooter.net, a DDOS service operated by 22-year-old Justin Poland, from Memphis, Tennessee, US.

Masse created an account on ragebooter.net and asked the service’s owner about who was launching DDOS attacks against Xittel. Poland confirmed that ragebooter.net was used to attack a certain IP block in Three Rivers and even gave up the username of the customer who was behind the attack: “concepta2.”

According to the ragebooter.net user database leaked earlier this year, “concepta2” created the account with the email address [email protected]. The same address was used by Courtois to register at least 36 websites.

At some point during his Skype conversation with Masse, Poland realized that he shouldn’t have given him his customer’s details so he deleted the information. However, Masse was able to retrieve the chat log from the cache memory.

With this information in hand, Masse obtained a civilian search warrant to seize and search the suspect’s computers. However, it turned out that Courtois had already hacked into his former employer’s computer and knew that authorities were coming for him.

He had already wiped his hard drive. However, he made another huge mistake: he failed to wipe his backups.