Anatomy of an attack: Leveraging Twitter to disrupt banking websites

Businesses must factor cost of defensive measures into their budgets

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Ed note_new anat of attack_James ChappellCore find­ing: In 2012 and 2013, a hack­tivist group called Izz ad-Din al-Qas­sam Cyber Fight­ers pro­found­ly dis­rupt­ed a who’s who list of giant U.S. finan­cial ser­vices com­pa­nies. Claim­ing to be exact­ing ret­ri­bu­tion for a slight against the prophet Muham­mad, the Cyber Fight­ers orches­trat­ed denial-of-ser­vice attacks that knocked down major bank­ing web­sites for days at a time.

Today, a hack­tivist group, known as Anon Sau­di, con­tin­ues to reg­u­lar­ly con­duct small­er-scale denial-of-ser­vice attacks, tar­get­ing finan­cial ser­vices com­pa­nies for a vari­ety of ide­o­log­i­cal rea­sons. In one recent instance, a large British bank that does busi­ness glob­al­ly, learned that it had turned up on a list of bank­ing sites tar­get­ed for an Anon Sau­di DDoS cam­paign. Fore­warned, the bank was then able to repel the attack.

More: Why small banks and cred­it unions must address risk

Attack vec­tor: Anon Sau­di used Twit­ter to foment ide­o­log­i­cal ire against the finan­cial com­pa­nies on the tar­get list. Once a cer­tain lev­el of unrest was achieved, the group issued a link to a web­site with details of when and how vol­un­teers should use their per­son­al com­put­ing devices to bom­bard the tar­get­ed web­sites with nui­sance requests.

Dis­tinc­tive tech­nique: This was to be a “slow HTTP attack.” Each vol­un­teer was instruct­ed to ini­ti­ate nui­sance requests to the tar­get­ed web­pages in such a way as to keep the page open for a long peri­od of time, delay­ing or cut­ting off requests from legit­i­mate cus­tomers.

Wider impli­ca­tions: The finan­cial ser­vices sec­tor has spent bil­lions since the Izz ad-Din onslaught in 2012–13 to shore up defens­es. Yet ide­o­log­i­cal hack­tivist cam­paigns per­sist, albeit on a small­er scale. Hac­tivists have adapt­ed to using Twit­ter as a very effec­tive DDoS cam­paign tool—for recruit­ing vol­un­teers and coor­di­nat­ing attacks. Banks must fac­tor in defen­sive mea­sures as a cost of doing busi­ness.

Excerpts from ThirdCertainty’s inter­view with Chap­pell. (Answers edit­ed for length and clar­i­ty.)

3C: Your tech­nol­o­gy mon­i­tors Twit­ter chat­ter. What hap­pened in this case?

Chap­pell: We observed Anon Sau­di going through a process of mak­ing oth­er folks on Twit­ter aware of what they were plan­ning to do and invit­ing them to par­tic­i­pate. It’s a way of ampli­fy­ing dia­logue online pri­or to an attack. Our client turned up on a list, and we had seen a num­ber of oth­er sim­i­lar instances like this one, where you could expect an attack to evolve.

3C: You see this type of thing all the time?

Chap­pell: Yes. Twit­ter has devel­oped a whole cul­ture around attacks. One of the things you see quite often is the use of hash tags that have ‘OP’ and the name of the cam­paign. It’s becom­ing its own thing on Twit­ter. You can find OP Sau­di, OP Petrol, OP Turkey, OP Brazil, OP Myan­mar, a whole range of dif­fer­ent cam­paigns. This has become lin­gua fran­ca for a call to action.

So we watched some of the dis­cus­sion, we looked at the peo­ple who were com­ment­ing and encour­ag­ing oth­ers to par­tic­i­pate, and at the vol­ume of dis­cus­sion. That’s usu­al­ly quite a good indi­ca­tor, it gives you some sense of the scale.

3C: What are some of the stan­dard defens­es banks are using?

Chap­pell: There are quite a few anti-DDoS mit­i­ga­tion tools, and the com­pa­nies that pro­vide those ser­vices real­ly ben­e­fit from know­ing in advance what kind of traf­fic might be received. Com­pa­nies like Cloud­Flare, Incap­su­la, Black Lotus, Rad­ware and Aka­mai oper­ate what they call scrub­bing sen­sors. The idea is they fil­ter out dif­fer­ent types of traf­fic allow­ing just the legit­i­mate traf­fic through.

We looked at some of Anon Saudi’s pre­vi­ous attacks and said to the client, ‘Look, we think this type of traf­fic is going to be received by your Web serv­er.’ And that enabled them to pre­pare in advance to ensure their resources remained avail­able for their clients.

sh_online bank_280

3C: Has it reached the point where this is a rou­tine cost of doing busi­ness?

Chap­pell: It real­ly is a cost of doing busi­ness now for larg­er insti­tu­tions. The Izz al-Din Cyber Fight­ers’ cam­paigns changed a lot of people’s atti­tudes to this. It showed that DDoS attacks could be quite effec­tive and a lot of oth­er groups jumped on the band­wag­on at that point.

Banks real­ized how many ser­vices have moved online, and cus­tomers real­ized not being able to access their bank was a pret­ty seri­ous issue. So banks have invest­ed in the tech­nolo­gies, with a range of suc­cess.

3CWhat about small­er finan­cial ser­vices com­pa­nies, com­mu­ni­ty banks and cred­it unions?

Chap­pell: We’ve seen a few of the small­er insti­tu­tions tar­get­ed. It’s usu­al­ly where there is some invest­ment in a par­tic­u­lar project, or they’ve asso­ci­at­ed them­selves with some­thing that comes under attack. Some­times they just look like easy tar­gets; we have seen that. But it’s spo­radic. It’s dif­fi­cult to rec­om­mend that if you’re small­er insti­tu­tion, you should invest heav­i­ly in anti-DDoS tech­nolo­gies.

3C: So what should local banks and cred­it unions do?

Chap­pell: It’s worth being pre­pared. Have a cho­sen sup­pli­er on hand, so that you can react very quick­ly in the event an issue is detect­ed. And have bud­get set aside, so that, should an event occur, you can cov­er the cost of increased band­width and the cost of bring­ing a pro­tec­tion provider online very quick­ly.

3C: It comes down to assess­ing risk and prepar­ing for the worst?

Chap­pell: If I were a small bank, I’d look at what coun­tries I’m doing busi­ness in, because that, inter­est­ing­ly, is an indi­ca­tor as to the extent to which my ser­vices might be tar­get­ed. I’d make sure I’m get­ting the basics right. So just make sure my Web servers are patched; make sure that my infra­struc­ture is well-mon­i­tored. And I’d have an inci­dent response plan, so I’m able to respond quick­ly in the event that an attack did take place.

More in the series:
Anato­my of an attack: Dup­ing investors using What­sApp ruse
Anato­my of an attack: ‘CEO fraud’ caper nets $450,000
Anato­my of an attack: deploy­ing mil­i­tary tac­tics against a retail­er
Anato­my of an attack: Poi­son­ing the water­ing hole