Why is it difficult to catch "Anonymous" or "Lulzsec" (groups)?
My answer pokes at the original question. What makes you think that they don't get caught?
The CIA and DoD found Osama bin Laden.
Typical means include OSINT, TECHINT, and HUMINT. Forensics can be done on Tor. Secure deletion tools such as sdelete, BCWipe, and DBAN are not perfect. Encryption tools such as GPG and Truecrypt are not perfect.
Online communications was perhaps Osama bin Laden's biggest strength (he had couriers that traveled to far away cyber-cafes using email on USB flash drives) and Anonymous/LulzSec's biggest weakness. They use unencrypted IRC usually. You think they'd at least be using OTR through Tor with an SSL proxy to the IM communications server(s) instead of a cleartext traffic through an exit node.
Their common use of utilities such as Havij and sqlmap could certainly backfire. Perhaps there is a client-side vulnerability in the Python VM. Perhaps there is a client-side buffer overflow in Havij. Perhaps there are backdoors in either.
Because of the political nature of these groups, there will be internal issues. I saw some news lately that 1 in 4 hackers are informants for the FBI.
It's not "difficult" to "catch" anyone. Another person on these forums suggested that I watch a video from a Defcon presentation where the presenter tracks down a Nigerian scammer using the advanced transform capabilities in Maltego. The OSINT capabilities of Maltego and the i2 Group Analyst's Notebook are fairly limitless. A little hint; a little OPSEC mistake -- and a reversal occurs: the hunter is now being hunted.
From some experience with law enforcement and forensics, I can say one of the biggest issues is that ISPs really don't want to have to track users. Once they get beyond a certain level of management they lose 'common carrier' status and become liable for an awful lot of what their customers may do.
Also, many countries do not want to pass on information to another country - especially countries which may be opposed to western culture or western interference.
And it is extremely easy to hide almost anything on the internet.
Regarding your three points:
- Server should have IP addresses - No - this is simple to spoof or erase
- Private server - Not likely, although possible - but it wouldn't be their credit card used
- ISP's trace - Not going to happen - it doesn't affect ISP's negatively, and is way too difficult
update It might happen after all - http://blogs.forbes.com/andygreenberg/2011/03/18/ex-anonymous-hackers-plan-to-out-groups-members/
One of the most important aspects of an attack like this is covering your tracks. There are lots of different ways to do this, as it depends on the technology. To address your specific questions:
When they DDoS: If the flood was coming from their own machines, then it would be fairly easy to track them. The problem lies in the fact that they aren't using their own machines. They are either a) taking control of someone elses without permission, or b) getting someone to do it on their behalf. The latter is what happened with the Wikileaks attacks. People signed up to to do it.
Things start getting hinky when servers are in countries that don't generally respond to requests for logs. If the company that is being attacked is in the US, it's fairly easy to get a court order if the attack can be proven to originate in the States. What happens if it's a US target, but the attack is originating in Russia or China? The same thing goes for purchase records.
As for being scared... there are quite a few of these sorts of groups out there. Most of them are (I don't want to say harmless, but...) harmless. In this particular case, someone poked the bear and the bear got pissed.
EDIT: Not that I condone their actions, blah blah blah.