There's probably nothing quite like opening your front door in a T-shirt and gym shorts, only to find a heavily armed SWAT team facing you down.
That's exactly what happened to well-known security blogger Brian Krebs, who was "swatted" yesterday (March 14). He fell victim to a very dangerous prank call that sent police rushing to his home preparing for an armed standoff.
"As soon as I open the front door, I hear this guy yelling at me, behind a squad car, pointing a pistol at me saying: 'Don't move. Put your hands up,'" Krebs told Ars Technica's Dan Goodin. "The first thing I said was, 'You've got to be kidding me.'"
Emergency dispatch operators had received a 911 call that seemed to come from Krebs' phone. The caller said he was Krebs, that Russian jewel thieves had broken into his northern Virginia home and shot his wife, and that he was hiding in a closet.
Police first called to confirm the emergency, but Krebs, busy cooking for a dinner party, didn't pick up. So a dozen officers from the Fairfax County Police Department rushed to Krebs' house.
Krebs told Goodin that police had sealed off the street and had dogs circling the house. Krebs allowed himself to be taken into custody and let police search the premises.
"I think they figured out pretty quickly they'd been had," Krebs tweeted yesterday after the incident. "But [it's] never fun to have assault rifles pointed at you."
Not unexpected
Ironically, Krebs had expected to be swatted eventually. Eastern European cybercriminals about whom he's written have often launched distributed denial-of-service (DDoS) attacks on his website, and more recently have made personal threats against him.
Six months ago, after receiving a new round of threats, he filed a report with the Fairfax County police and told the reporting officer to be wary of any emergency calls pretending to come from his house.
"The guy didn't even know what swatting was," Krebs told Goodin. "I was kind of surprised."
Krebs, 40, started writing about computer security at The Washington Post in 2005, and struck out on his own in 2009. His Krebs on Security blog is a daily must-read in the information-security industry, and gets enough traffic that he's able to make a living from it.
He has also made a lot of enemies in the Russian-language cybercrime underworld, thanks to his solo investigations into underground malware bazaars and his participation in the dismantling of several botnets, or secret networks of infected personal computers.
Krebs believes his swatting incident stemmed from a blog posting Wednesday (March 13) related to the "doxing," or posting of sensitive personal information about notable Americans, on a Russian website.
His posting detailed how easy it is to obtain Social Security numbers and other personal information about American citizens in the Russian online underworld.
The next day, Krebs first got a call from his Web hosting provider, which said it had received a fake FBI letter telling the provider to take down Krebs' site. Then his site was hit by a DDoS attack and was briefly offline. Finally, the SWAT team arrived.
Today (March 15), Krebs tweeted that his home Internet service provider had received a fake call asking to shut off his broadband service.
"Standard Kiddie Procedure, Step 5: Try to shut off Internet service of target," Krebs wrote. "Outcome: #FAIL."
All fun and games until someone gets hurt
Swatting first started happening in the United States about 10 years ago, thanks to the availability of "spoofing" hardware and software that lets people pretend they're calling from a different number.
Matthew Weigman, a blind Boston-area man, is believed to have participated in about 60 swatting pranks as a teenager from 2003 to 2008, and is currently serving prison time in Massachusetts for threatening a Verizon employee who was investigating the incidents.
In the past six months, pranksters have sent police to the homes of nearly a dozen celebrities in Southern California by pranksters, including Justin Bieber, Chris Brown, Simon Cowell, Tom Cruise, Miley Cyrus, Clint Eastwood, Kim Kardashian, Ashton Kutcher and Charlie Sheen.
(Earlier this week, a 12-year-old boy admitted to swatting Bieber and Kutcher.)
Three weeks ago, parts of the campus of the Massachusetts Institute of Technology were locked down following a swatting call thought to be related to the January suicide of Internet activist Aaron Swartz, who was being prosecuted for abusing MIT's computer network.
Krebs is neither the first blogger to be swatted, nor the first high-profile Internet figure to be targeted in this way.
In July 2011, cybercrime lawyer and anti-cyberbullying crusader Parry Aftab had the Bergen County SWAT team show up at her Wyckoff, N.J., home after a 911 call reported a mass shooting and hostage situation.
Last year, some conservative bloggers were also swatted, including RedState.com's Erick Erickson.
Teenage pranksters may not realize the gravity of sending police paramilitary teams barging into someone's home.
"There's a tendency for people to think this is a fun game," Krebs told Goodin. "[But] if somebody kicks in your door, I could imagine situations where people who are armed and in their home fire back at an intruder who claims to be the police."