Starting in 2010, when the hacktivist group Anonymous had made DDoS its official protest tool, DDoS attacks have become one of the most common cyber attacks used, to the extent that almost every geopolitical dispute in the world sees different groups fighting each other using this cyber weapon.
Over the past year we have seen a change in the motivation behind the attacks. In addition to newsworthy geopolitical DDoS attacks that are still dominant (such as the recent cyber war between the Ukraine and Russia, and Operation Ababil of Islamic groups against US banks in 2013), and we have also witnessed criminals using DoS as a method of operation.
In most cases financially motivated cybercrime is all about manipulating data, for example transferring money from one bank account to another, or getting information and trading it - like trade secrets. But here’s the catch. On the surface it’s easy to think the DoS attack is designed to take down the victim’s network and start a wave of transactions. But in actual fact the problem is more far reaching in that when unexpected shutdowns occur, no other data or commands can be sent in or out to the victim’s data centre, allowing the hacktivists to access far more than money.
In the last few months, Radware’s Emergency Response Team (ERT) has faced a number of attacks where criminals have used sophisticated attack methods to get to the real honey pot - financial information. Two main criminal methods of operations are becoming prolific, what we refer to as ‘Die Hard’ and Stealth’ and we will see more and more of this in 2014, motivated by political and economic instability.
Die Hard: The cybercrime version
Every action-movie fan knows the trick. Criminals do something to catch the guards’ attention and at the same time, a splinter group from the gang get on with the ‘real’ job.
Cybercriminals use a similar modus operandi. Attacks start as a huge DDoS attack, coming from nowhere and with no real reason. This attack usually floods the victim’s network security command and control to the extent that most of the network security deployed solutions fail. Now here’s the real vulnerability: a critical requirement for most Internet critically dependent organizations, is that any deployed solution will be configured to “Fail-Open”. This means that once the simple DDoS attack saturates the resources of one of the network security solutions (e.g IPS, Firewall solution or others), the solution stops protecting the network, and everyone can get in, including the criminals.
This is where the attackers just send their simple SQL Injection, XSS Malware or any other attack vector and manage to maliciously get their desired sensitive information, or they manipulate an opportunity to change information in the data centre that grants them access to the highly coveted prize of sensitive information.