Saturday, March 30, 2013

"Funded hacktivism" or cyber-terrorists, AmEx attackers have big bankroll

 

"Funded hacktivism" or cyber-terrorists, AmEx attackers have big bankroll

"Cyber-fighters of Izz ad-Din al-Qassam" launch wave of attacks on US banks.

http://arstechnica.com/security/2013/03/funded-hacktivism-or-cyber-terrorists-amex-attackers-have-big-bankroll/

 

by Sean Gallagher - Mar 30 2013, 5:45am PDT

 

The "cyber-fighters of Izz ad-Din al-Qassam" took American Express down for

two hours yesterday afternoon.

 

On March 28, American Express' website went offline for at least two hours

during a distributed denial of service attack. A group calling itself "the

cyber-fighters of Izz ad-Din al-Qassam" claimed responsibility for the

attack, which began at about 3:00pm Eastern Time.

 

In a statement, an American Express spokesperson said, "Our site experienced

a distributed-denial-of-service (DDoS) attack for about two hours on

Thursday afternoon...We experienced intermittent slowing on our website that

would have disrupted customers' ability to access their account information.

We had a plan in place to defend against a potential attack and have taken

steps to minimize ongoing customer impact."

 

The American Express DDoS is part of a new wave of attacks started two weeks

ago by the Izz ad-Din al-Qassam group, which launched a larger campaign

targeting US financial institutions that began last September. The group's

alleged goal is to force the take-down of an offensive YouTube video-or

extract an ongoing price from American banks as long as the video stays up,

which could be indefinitely.

 

These attacks are also part of a larger trend of disruptive and destructive

attacks on financial institutions by apparently politically-motivated

groups, the most damaging of which was the attack on South Korean banks and

other companies last week. It's a trend that has surprised some security

analysts, considering that the financial industry has focused more on

advanced persistent threat (APT) attacks and cyber-espionage in recent

years.

Band of the Hand

 

Named after a Muslim cleric who led The Black Hand, an anti-British and

anti-Zionist jihadist organization in the 1920s and 1930s, and sharing a

name with the military wing of Hamas (which the group's statements claim it

is tied to), Izz ad-Din al-Qassam has taken credit for a variety of attacks

on US financial institutions over the past year, all allegedly in protest

against the posting of trailers for the film The Innocence of Muslims on

YouTube. Until the film is removed, the group said it would target

"properties of American-Zionist Capitalists.This attack will continue till

the Erasing of that nasty movie." [sic]

 

Unlike DDoS attacks waged by Anonymous in the past, the Izz ad-Din al-Qassam

group has used scripts running on compromised Web servers to launch their

attacks rather than "volunteer" desktop PCs or botnets of compromised

Windows machines. That allows  attacks to leverage larger amounts of

available bandwidth.

 

So far, there have been three distinct phases of the group's attacks. Dan

Holden, director of Arbor Networks' Security Engineering & Response Team,

told Ars in a phone interview that the previous two waves lasted between

three and four weeks, with the group then taking a break-likely to do the

work required to maintain their botnet of compromised servers and add to it

as their existing bots are discovered and disabled.

 

And during the course of each attack phase, the group has been refining its

attacks, as Ars' Dan Goodin reported earlier this year. In January, security

firm Incapsula found a new variant of the group's attack tools, which

spawned additional copies of itself on compromised servers to multiply the

size of attacks.

 

There have been further refinements made to this approach in this latest

wave, Holden said. "The biggest change is the maintenance and the growth in

the botnet," he explained. "There has been a big investment on their part to

keep the campaign growing. And they've added some twists and techniques to

their tools as time goes on, focusing their attacks more on the particular

applications of the banks they're targeting. Now there are particular tools

being used for a specific set of banks."

 

That refinement is the result of months of analyzing the websites of each of

the banks that Izz ad-Din al-Qassam has targeted.  Holden said that during

its past large-scale attacks the group also crawled the websites of its

targets and used the intelligence collected during the attacks to learn more

about their weaknesses.

Covering fire

 

While the Izz ad-Din al-Qassam group's attacks are apparently purely to

disrupt banks' ability to do business, there is some concern that such

denial-of-service attacks could be used as a cover for fraud activity by

criminals operating botnets or using targeted attacks on banks to gain

access to internal systems.

 

"Financial institutions are putting a lot of resources into countering DoS

attacks," said George Tubin, senior security strategist at Trusteer, a firm

that specializes in countering online financial fraud. "But what we have

seen in the past is the use of DoS attacks to conceal a fraud attack. They

create the perfect cover." While the banks' security resources are focused

on trying to counter the DoS attack, he said, criminals could use other

vectors to gain access to accounts and perform transactions in the

background before they can be detected.

 

That's not to say that there's necessarily any collusion between the DoS

attackers and any potential fraudsters, Tubin emphasized, although it was

possible. "They could be coordinated, but they are also frequent enough and

common enough that criminals could do their own targeted attack once they

see a DoS on an institution."

 

And those targeted attacks are becoming increasingly costly to banks. An FBI

fraud alert last September revealed that attackers had compromised several

financial institutions by infecting the computers of employees with

malware-including keyloggers and remote control software that allowed them

to capture employees' passwords, access customers' accounts and make wire

transfers ranging from $400,000 to $900,000.

A well-funded attack

 

Still, Holden said that it's unlikely that criminals are "coat-tailing" on

the Izz ad-Din al-Qassam group's attacks just yet. "It would have to be one

of the incidences where the attackers can tell the site is down, [but then

they] wouldn't be able to get in anyhow. So it's not as likely."

 

But even if the group behind the attacks isn't profiting from them, Holden

said it's clear that there are very real investments being made in their

activities-maybe not in servers or hard assets, but in the form of countless

hours of maintenance of the botnet by finding new servers to exploit, and

further development of attacks.

 

"Regardless of who's behind this," Holden said, "it has to be funded at some

level. Even if it's hacktivists, it's got to be funded hacktivism." That, he

says, is because of both the amount of time dedicated to the attack, and to

its ongoing refinement. "It's not that these are the most sophisticated

things in the world," he explained, "but it has been getting more

sophisticated, and it's growing."

 

The goal of the investment in the botnet hasn't been to create the sort of

massive DDoS launched on Spamhaus this week. Rather, Holden said, the goal

seems to have "mainly been around being able to attack multiple targets.

They're not interested in the biggest DDoS they can make-they're more

interested in creating constant pressure to prove whatever they're trying to

prove. They're in it for the long haul."

 

==========================================

(F)AIR USE NOTICE: All original content and/or articles and graphics in this

message are copyrighted, unless specifically noted otherwise. All rights to

these copyrighted items are reserved. Articles and graphics have been placed

within for educational and discussion purposes only, in compliance with

"Fair Use" criteria established in Section 107 of the Copyright Act of 1976.

The principle of "Fair Use" was established as law by Section 107 of The

Copyright Act of 1976. "Fair Use" legally eliminates the need to obtain

permission or pay royalties for the use of previously copyrighted materials

if the purposes of display include "criticism, comment, news reporting,

teaching, scholarship, and research." Section 107 establishes four criteria

for determining whether the use of a work in any particular case qualifies

as a "fair use". A work used does not necessarily have to satisfy all four

criteria to qualify as an instance of "fair use". Rather, "fair use" is

determined by the overall extent to which the cited work does or does not

substantially satisfy the criteria in their totality. If you wish to use

copyrighted material for purposes of your own that go beyond 'fair use,' you

must obtain permission from the copyright owner. For more information go to:

http://www.law.cornell.edu/uscode/17/107.shtml

 

THIS DOCUMENT MAY CONTAIN COPYRIGHTED MATERIAL. COPYING AND DISSEMINATION IS

PROHIBITED WITHOUT PERMISSION OF THE COPYRIGHT OWNERS.

 

 

 

 

 

No comments:

Post a Comment