A Turkish hacking crew is running a DDoS-for-Points platform where participants can earn points if they carry out DDoS attacks against a list of predetermined targets, points they can exchange later on for various online click-fraud tools.
The name of this DDoS-for-Points platform is "Sath-ı Müdafaa," which translates to "Surface Defense."
The platform is advertised through local Turkish hacking forums such as Turkhackteam and Root Developer.
Its creators say that each hacking crew or hacker who participates in the Surface Defense program will receive one point for every ten minutes of DDoS attacks.
Surface Defense members are only allowed to attack a list of predefined targets. This list includes many websites that appear to have been added to the lineup based on political reasons.
The list includes Kurdish targets such as the Kurdistan Workers Party (PKK), an organization considered a terrorist group by NATO members, its military wing the People’s Defense Force (HPG), the websites of Kurdish hacking crews, Kurdish radio and TV stations, and more.
Other politically-motivated targets include the German Christian Democratic Party (CDU, Angela Merkel's party), the Armenian Genocide website, and several Israeli sites.
Hackers that sign up for the Surface Defense program must use a special tool to carry out the DDoS attacks. This tool is named Balyoz, translated to "Sledgehammer."
The version of Balyoz participants receive is locked-in and only allows them to attack the list of predefined targets.
This DDoS tool includes features to prevent users from cheating, such as running Balyoz inside a virtual machine.
Balyoz is available in two versions, one with a GUI and one for users that prefer command-line tools. According to Forcepoint security researchers, who uncovered the Surface Defense program, Balyoz works via Tor, requires a user and password to log in, and it uses a DoS (Denial of Service) technique to starve targets of computing resources.
If the operators of the Surface Defense operators detect that one user is trying to cheat and rack up more points, they can tell Balyoz to download and install a backdoor trojan in real-time, or the next time he logs in.
As Turkish hacking crews carry out attacks, the Surface Defense platform aggregates the points and creates a ranking.
After attackers gather a certain amount of points, participating hackers can exchange their totals for various click-fraud tools. They have at their disposal four tools, according to a YouTube video.
The big prize is an untethered version of the Balyoz DDoS tool that allows users to launch DDoS attacks against sites not included in the predefined list of targets.
The others are three click-fraud bots that can automatically click on ads for pay-to-click (PTC) services such as Ojooo, PTCFarm, and Neobux PTC.
Forcepoint researchers say that they've managed to track down the IP where the Surface Defense platform operated, despite running on the Dark Web via Tor.
This breakthrough has helped researchers gather some information on the hacker's identity, such as a name/nickname, which appears to be "Mehmet." Researchers said they also tracked the name Mehmet to two Balyoz tutorials uploaded on YouTube.
For a more in-depth analysis of the Surface Defense platform, you can download and take a look over Forcepoint's 30-page "Sledgehammer - Gamification of DDoS attacks (for ideology, profit & msichief)" report.