"Funded hacktivism" or cyber-terrorists, AmEx attackers have big bankroll
"Cyber-fighters of Izz ad-Din al-Qassam" launch wave of attacks on US banks.
by Sean Gallagher - Mar 30 2013, 5:45am PDT
The "cyber-fighters of Izz ad-Din al-Qassam" took American Express down for
two hours yesterday afternoon.
On March 28, American Express' website went offline for at least two hours
during a distributed denial of service attack. A group calling itself "the
cyber-fighters of Izz ad-Din al-Qassam" claimed responsibility for the
attack, which began at about 3:00pm Eastern Time.
In a statement, an American Express spokesperson said, "Our site experienced
a distributed-denial-of-service (DDoS) attack for about two hours on
Thursday afternoon...We experienced intermittent slowing on our website that
would have disrupted customers' ability to access their account information.
We had a plan in place to defend against a potential attack and have taken
steps to minimize ongoing customer impact."
The American Express DDoS is part of a new wave of attacks started two weeks
ago by the Izz ad-Din al-Qassam group, which launched a larger campaign
targeting US financial institutions that began last September. The group's
alleged goal is to force the take-down of an offensive YouTube video-or
extract an ongoing price from American banks as long as the video stays up,
which could be indefinitely.
These attacks are also part of a larger trend of disruptive and destructive
attacks on financial institutions by apparently politically-motivated
groups, the most damaging of which was the attack on South Korean banks and
other companies last week. It's a trend that has surprised some security
analysts, considering that the financial industry has focused more on
advanced persistent threat (APT) attacks and cyber-espionage in recent
years.
Band of the Hand
Named after a Muslim cleric who led The Black Hand, an anti-British and
anti-Zionist jihadist organization in the 1920s and 1930s, and sharing a
name with the military wing of Hamas (which the group's statements claim it
is tied to), Izz ad-Din al-Qassam has taken credit for a variety of attacks
on US financial institutions over the past year, all allegedly in protest
against the posting of trailers for the film The Innocence of Muslims on
YouTube. Until the film is removed, the group said it would target
"properties of American-Zionist Capitalists.This attack will continue till
the Erasing of that nasty movie." [sic]
Unlike DDoS attacks waged by Anonymous in the past, the Izz ad-Din al-Qassam
group has used scripts running on compromised Web servers to launch their
attacks rather than "volunteer" desktop PCs or botnets of compromised
Windows machines. That allows attacks to leverage larger amounts of
available bandwidth.
So far, there have been three distinct phases of the group's attacks. Dan
Holden, director of Arbor Networks' Security Engineering & Response Team,
told Ars in a phone interview that the previous two waves lasted between
three and four weeks, with the group then taking a break-likely to do the
work required to maintain their botnet of compromised servers and add to it
as their existing bots are discovered and disabled.
And during the course of each attack phase, the group has been refining its
attacks, as Ars' Dan Goodin reported earlier this year. In January, security
firm Incapsula found a new variant of the group's attack tools, which
spawned additional copies of itself on compromised servers to multiply the
size of attacks.
There have been further refinements made to this approach in this latest
wave, Holden said. "The biggest change is the maintenance and the growth in
the botnet," he explained. "There has been a big investment on their part to
keep the campaign growing. And they've added some twists and techniques to
their tools as time goes on, focusing their attacks more on the particular
applications of the banks they're targeting. Now there are particular tools
being used for a specific set of banks."
That refinement is the result of months of analyzing the websites of each of
the banks that Izz ad-Din al-Qassam has targeted. Holden said that during
its past large-scale attacks the group also crawled the websites of its
targets and used the intelligence collected during the attacks to learn more
about their weaknesses.
Covering fire
While the Izz ad-Din al-Qassam group's attacks are apparently purely to
disrupt banks' ability to do business, there is some concern that such
denial-of-service attacks could be used as a cover for fraud activity by
criminals operating botnets or using targeted attacks on banks to gain
access to internal systems.
"Financial institutions are putting a lot of resources into countering DoS
attacks," said George Tubin, senior security strategist at Trusteer, a firm
that specializes in countering online financial fraud. "But what we have
seen in the past is the use of DoS attacks to conceal a fraud attack. They
create the perfect cover." While the banks' security resources are focused
on trying to counter the DoS attack, he said, criminals could use other
vectors to gain access to accounts and perform transactions in the
background before they can be detected.
That's not to say that there's necessarily any collusion between the DoS
attackers and any potential fraudsters, Tubin emphasized, although it was
possible. "They could be coordinated, but they are also frequent enough and
common enough that criminals could do their own targeted attack once they
see a DoS on an institution."
And those targeted attacks are becoming increasingly costly to banks. An FBI
fraud alert last September revealed that attackers had compromised several
financial institutions by infecting the computers of employees with
malware-including keyloggers and remote control software that allowed them
to capture employees' passwords, access customers' accounts and make wire
transfers ranging from $400,000 to $900,000.
A well-funded attack
Still, Holden said that it's unlikely that criminals are "coat-tailing" on
the Izz ad-Din al-Qassam group's attacks just yet. "It would have to be one
of the incidences where the attackers can tell the site is down, [but then
they] wouldn't be able to get in anyhow. So it's not as likely."
But even if the group behind the attacks isn't profiting from them, Holden
said it's clear that there are very real investments being made in their
activities-maybe not in servers or hard assets, but in the form of countless
hours of maintenance of the botnet by finding new servers to exploit, and
further development of attacks.
"Regardless of who's behind this," Holden said, "it has to be funded at some
level. Even if it's hacktivists, it's got to be funded hacktivism." That, he
says, is because of both the amount of time dedicated to the attack, and to
its ongoing refinement. "It's not that these are the most sophisticated
things in the world," he explained, "but it has been getting more
sophisticated, and it's growing."
The goal of the investment in the botnet hasn't been to create the sort of
massive DDoS launched on Spamhaus this week. Rather, Holden said, the goal
seems to have "mainly been around being able to attack multiple targets.
They're not interested in the biggest DDoS they can make-they're more
interested in creating constant pressure to prove whatever they're trying to
prove. They're in it for the long haul."
==========================================
(F)AIR USE NOTICE: All original content and/or articles and graphics in this
message are copyrighted, unless specifically noted otherwise. All rights to
these copyrighted items are reserved. Articles and graphics have been placed
within for educational and discussion purposes only, in compliance with
"Fair Use" criteria established in Section 107 of the Copyright Act of 1976.
The principle of "Fair Use" was established as law by Section 107 of The
Copyright Act of 1976. "Fair Use" legally eliminates the need to obtain
permission or pay royalties for the use of previously copyrighted materials
if the purposes of display include "criticism, comment, news reporting,
teaching, scholarship, and research." Section 107 establishes four criteria
for determining whether the use of a work in any particular case qualifies
as a "fair use". A work used does not necessarily have to satisfy all four
criteria to qualify as an instance of "fair use". Rather, "fair use" is
determined by the overall extent to which the cited work does or does not
substantially satisfy the criteria in their totality. If you wish to use
copyrighted material for purposes of your own that go beyond 'fair use,' you
must obtain permission from the copyright owner. For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
THIS DOCUMENT MAY CONTAIN COPYRIGHTED MATERIAL. COPYING AND DISSEMINATION IS
PROHIBITED WITHOUT PERMISSION OF THE COPYRIGHT OWNERS.
No comments:
Post a Comment