Monthly Archives: February 2013

Helping ISPs defend customers against bot infections

At RSA Conference 2013 Kindsight announced the Kindsight Botnet Security service to help Internet service providers detect botnet activity in the network and protect subscribers against bot infections…

Read More:
Helping ISPs defend customers against bot infections

Five tips to combat a Distributed Denial of Service (DDoS) Attack

Who’s next? That’s a question probably lingering on the minds of many American banking executives these days. After all, eight U.S. banks were hammered by distributed denial of service (DDoS) cyber attacks in recent weeks and more could be in the works. A DDoS attack typically floods a website or network with so much traffic that it shuts down. The attack can last anywhere from hours to days, depending on how long it takes the victim to divert the traffic and how long the perpetrator can keep blasting the traffic at the victim’s site and network. The hacktivist group known as Izz ad-Din al-Qassam Cyber Fighters took credit for the cyber attacks on the banks. In posts on the website www.pastebin.com, the group said the DDoS attacks were in retaliation to a YouTube video insulting the Prophet Muhammad and many Muslims. Could this wave of cyber attacks be the beginning of a new movement? Will hacktivist groups join cyber criminals, ruthless competitors and even angry customers in launching DDoS attacks to shut down company websites? It’s possible. Especially since the tools to launch DDoS attacks are cheap and readily accessible. Currently, there are more than 50 DDoS tools 1 on the market. And if DDoS attacks do become more prevalent, how much damage can they cause? Well, according to one study 2 more than 65% of the respondents said when their websites go down it costs them about $10,000 per hour or $240,000 per day. Most of these companies were in the finance, telecom, travel and IT industries. These costs are due to lost business and lost resources when staff members have to work on matters related to the attack, instead of on their regular jobs. Retailers who sell most of their merchandise online said when their websites go down, it costs them about $100,000 per hour. If this is indeed the case, what can organizations do to protect themselves? Here are five tips offered by computer security experts: Maintain a high level of awareness to spot suspicious site traffic and other anomalies. Install the most advanced intrusion detection signatures (IDS) and intrusion prevention signatures (IDS) as defense mechanisms against cyber attacks. Make sure you have automatic updates scheduled for your anti-virus and other software programs. Review incident recovery plans and employee training strategies to ensure that your staff knows what to do if you do experience a DDoS attack or other form of cyber attack. Work closely with Internet Service Providers, law enforcement and vendors when faced with cyber threats and other suspicious cyber activity. Have you experienced a DDoS cyber attack? If so, how did you respond? We would like to hear about it. Contact us . Source: http://www.lexology.com/library/detail.aspx?g=61781aa7-caf5-4da1-8c2a-18b4590f3b0d  

Excerpt from:
Five tips to combat a Distributed Denial of Service (DDoS) Attack

Predictions for Distributed Denial of Service (DDoS) Attacks in 2013 will be application based

Twenty-five percent of distributed denial of service (DDoS) attacks that occur in 2013 will be application-based, according to Gartner, Inc. During such incidents, attackers send out targeted commands to applications to tax the central processing unit (CPU) and memory and make the application unavailable. “2012 witnessed a new level of sophistication in organized attacks against enterprises across the globe, and they will grow in sophistication and effectiveness in 2013,” said Avivah Litan, vice president and distinguished analyst at Gartner. “A new class of damaging DDoS attacks and devious criminal social-engineering ploys were launched against U.S. banks in the second half of 2012, and this will continue in 2013 as well-organized criminal activity takes advantage of weaknesses in people, processes and systems.” High-bandwidth DDoS attacks are becoming the new norm and will continue wreaking havoc on unprepared enterprises in 2013. A new class of damaging DDoS attacks was launched against U.S. banks in the second half of 2012, sometimes adding up to 70 Gbps of noisy network traffic blasting at the banks through their Internet pipes. Until this recent spate of attacks, most network-level DDoS attacks consumed only five Gbps of bandwidth, but more recent levels made it impossible for bank customers and others using the same pipes to get to their websites. Hackers use DDoS attacks to distract security staff so that they can steal sensitive information or money from accounts. People continue to be the weakest link in the security chain, as criminal social engineering ploys reach new levels of deviousness in 2013. In 2012, several different fraud scams that took social engineering tactics to new heights of deviousness have been reported, including criminals approaching people in person as law enforcement or bank officers to help them through account migration that then comprised their bank accounts. Source: http://timesofindia.indiatimes.com/tech/enterprise-it/security/25-of-DDoS-attacks-to-be-application-based-in-2013/articleshow/18613476.cms

Excerpt from:
Predictions for Distributed Denial of Service (DDoS) Attacks in 2013 will be application based

Malicious URLs eclipsing botnets as malware distribution leader

McAfee Labs revealed that sophisticated attacks originally targeting the financial services industry are now increasingly directed at other critical sectors of the economy, while an emerging set of ne…

Visit site:
Malicious URLs eclipsing botnets as malware distribution leader

25% of DDoS attacks in 2013 will be application-based

Twenty-five percent of distributed denial of service (DDoS) attacks that occur in 2013 will be application-based, according to Gartner. During such incidents, attackers send out targeted commands to a…

View article:
25% of DDoS attacks in 2013 will be application-based

California financial institution website hit with Distributed Denial of Service (DDoS) Attack costing $900,000

A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000. At approximately midday on December 24, 2012, organized cyber crooks began moving money out of corporate accounts belonging to Ascent Builders , a construction firm based in Sacramento, Calif. In short order, the company’s financial institution – San Francisco-based Bank of the West — came under a large distributed denial of service (DDoS) attack, a digital assault which disables a targeted site using a flood of junk traffic from compromised PCs. KrebsOnSecurity contacted Ascent Builders on the morning of Dec. 26 to inform them of the theft, after interviewing one of the money mules used in the scam. Money mules are individuals who are willingly or unwittingly recruited to help the fraudsters launder stolen money and transfer the funds abroad. The mule in this case had been hired through a work-at-home job offer after posting her resume to a job search site, and said she suspected that she’d been conned into helping fraudsters. Ascent was unaware of the robbery at the time, but its bank would soon verify that a series of unauthorized transactions had been initiated on the 24th and then again on the 26th. The money mule I spoke with was just one of 62 such individuals in the United States recruited to haul the loot stolen from Ascent . Most of the mules in this case were sent transfers of between $4,000 and $9,000, but several of them had bank accounts tied to businesses, to which the crooks wired huge transfers from Ascent’s account; five of the fraudulent transfers were for amounts ranging from $80,000 to $100,000. Mark Shope , president of Ascent Builders, said that when the company’s controller originally went online on the morning of Dec. 24 to check the firm’s accounts, her browser wouldn’t let her access the bank’s page. She didn’t know it at the time, but her computer was being remotely controlled by the attackers’ malware, which blocked her from visiting the bank’s site. “It said the bank was offline for 24 hours, and we couldn’t get in to the site,” Shope said. “We called the bank and they said everything was fine.” But soon enough, everything would not be fine from Bank of the West’s end. Not long after putting through a batch of fraudulent automated clearing house (ACH) and wire transfers from Ascent’s accounts, the fraudsters initiated a DDoS attack against the bank’s Web site, effectively knocking it offline. It’s not clear what tactics or botnets may have been used in the DDoS attack, but the cyberheist+DDoS approach matches the profile of cybercrime gangs using the Gameover Trojan – a ZeuS Trojan variant that has been tied to numerous DDoS attacks initiated to distract attention from high-dollar cyberheists.   Shope said the FBI is actively investigating the breach. The FBI declined to comment for this story. Bank of the West also did not respond requests for comment. But a law enforcement source working the case and speaking on condition of anonymity confirmed that the bank was subjected to a DDoS attack at the time of the robbery. The law enforcement official added that Ascent may not have been the only victim that day at Bank of the West, and that several other businesses and banks in the local area had been similarly robbed on or around Christmas Eve. Shope said Bank of the West has been able to claw back about half of the stolen funds, and expects to recover a great deal more. He said many of the bigger fraudulent transfers went to other businesses. For example, one of the mules was either running or working at a Hertz equipment rental franchise on the East Coast, and had called Ascent Builders to complain after the bank discovered the fraud and began clawing back large transfers. That mule, apparently unaware he was helping thieves launder stolen money, was calling to find out what happened to his $82,000. “We got a call from a Hertz rental equipment company back east, and they said “Why did you take this deposit out of our account?’ Shope recalled. “I asked him what he thought it was for, and he said, “Oh, this was for some equipment that we were purchasing for you guys from Russia, and we already sent the money on [to Russia], so what’s going on?”‘ A few thoughts about this attack. If you run a business and suddenly find yourself unable to log in to your commercial account, pick up the phone and call your bank to inquire about any recent money transfer activity. Very often, malware that thieves use to steal banking passwords in these cyberheists will also redirect the victim to an error page that says the bank’s site is down for maintenance. If this happens to you, call your bank and ask them to check your accounts (don’t trust a customer service phone number offered on a “down for maintenance” page; call the number on your bank card or search online for the institution’s customer service number). Also, get educated about the risks of banking online with a business account, and then take steps to make sure your organization isn’t the next victim. Regulation E limits the liability for consumers who lose money due to unauthorized account activity online (provided they notify their financial institution of the fraudulent activity within 60 days of a statement). Businesses do not enjoy such protections, although a couple of recent court cases brought by cyberheist victims against their banks have gone in favor of the businesses, suggesting that banks may find it increasingly difficult to disavow financial liability in the wake of these attacks going forward. Finally, consider banking online with a dedicated system. This among several recommendations I include in a short list of other tips that small businesses should consider when banking online.

More:
California financial institution website hit with Distributed Denial of Service (DDoS) Attack costing $900,000

Antibot: Network-based botnet removal tool

Botnets are flourishing with new packaging, new methods and new business models. ZeroAccess, the world’s fastest-growing botnet, infected millions of computers in 2012, using them to commit large-scal…

Read this article:
Antibot: Network-based botnet removal tool

Evolving Distributed Denial of Service (DDoS) Attacks provide the driver for financial institutions to enhance response capabilities

Distributed Denial-of-Service (DDoS) attacks1 are not a new method employed by cyber criminals to inflict damage on victim entities’ networks. In fact, DDoS attacks were one of the first types of online crimes to appear in the dawn of the Internet age.2 In the past several years, however, cyber threat actors have rekindled this attack to produce two new variants, both of which specifically target the financial services sector. The first variant employs the DDoS attack merely as a diversion technique. In this method, which became noticeable in late 2011 and continues to present day, criminals conduct a DDoS attack on a victim website in order to divert attention and distract bank personnel from the underlying purpose of the attack—to steal online banking credentials and conduct unauthorized wire transfers. To execute this attack, criminals have used a commercially available crimeware kit—known as Dirtjumper—that can be bought and sold on criminal forums for only $200.3 While the purpose of the first type of DDoS is to increase the chance of successful financial fraud, the purpose of the second variant, which is the focus of this article, appears to be in line with the more traditional purpose of a DDoS—to disrupt services by rendering the website inaccessible to legitimate users. The new variant, however, is unprecedented in terms of its size, its industry focus, the attack vector it employs, its longevity and its potential source.4 At the same time, the response to these attacks has been extraordinary in terms of industry collaboration and information-sharing to mitigate the impact of the attacks.5 Given the combination of first-time factors contributing to this variant’s successes and because this new breed of cybercrime may be merely a sign of what awaits financial institutions in 2013, all financial institutions—small, mid-tiered and large alike—are advised to take this opportunity to review, reexamine and enhance their security incident response capabilities. The New DDoS Variant Beginning in mid-September 2012 and continuing over a six-week period, a dozen financial institutions were successfully targeted by a group initiating a series of sophisticated DDoS attacks against these banks’ websites.6 Most of the attacks were preannounced by the group claiming responsibility for the attacks—Izz ad-Din Al-Qassam Cyber Fighters (QCF).7 QCF claimed its motive was to stop widespread and organized offenses to Islamic spiritual and holy issues and, in particular, remove an offensive video from the Internet.8 Some sources, however, attribute the group’s activities to the government of Iran responding to prior alleged U.S. cyber attacks on its systems and networks.9 Approximately one-and-a-half months later, the QCF allegedly initiated a second campaign of attacks. This wave, which started as early as December 11, 2012, targeted many of the same banks and a few additional institutions with similar DDoS attacks.10 Indeed, the group claimed, based on a numerical sequence of “likes and dislikes” to Internet content it deems objectionable, that the attacks would continue for at least 14 months.11 However, seven weeks later on January, 29, 2013, the group claimed victory when the objectionable content was apparently removed from one of the sources on the Internet.12 This DDoS variant is significantly and substantially different from previous types of DDoS attacks in several ways. First, the volume of network traffic used to commit the attacks was substantial. In the first campaign of attacks, it was reported that some banks were hit with a flood of traffic peaking at 65 gigabits-per-second (gbps).13 Given that this volume is magnitudes above previous DDoS attacks, and that a mid-size business may only have the capacity to process 1 gbps of network traffic, this enormous influx of traffic is significant and problematic.14 The high-volume network traffic of this size can overwhelm most of a victim’s network infrastructure, and slow its response time to web inquires, if not grind it to a halt altogether. Second, the attacks were aimed at institutions in the financial services sector. Both the first and second campaigns targeted large financial institutions, while more recent attacks have targeted a broader range of institutions, including smaller banks and credit unions. 15 Although there is no evidence that these attacks have compromised customer accounts, QFC claims its attacks cost U.S. banks $30,000 for every minute their websites were down.16 Third, the attacks used a network of compromised web servers—nicknamed “brobot”—in contrast to the more traditional DDoS, which uses a network of compromised individual “zombie” computers—known as a “botnet.”17 By using web servers, which have significantly larger bandwidth than individual computers, fewer compromised computers are needed and the capability for massive traffic exists to flood the victims’ systems making it unresponsive to legitimate requests.18 Finally, industry experts have identified a layer of variability and persistence of tactics, particularly in that the toolkit allows attackers to react to defenses and modify attack strategy quickly.19 New attack vectors have also increased the effectiveness of strikes, partly because they utilize bilateral strikes against both Internet service providers and victim banks at the application level.20 Certainly, if the suspected source of the attack is true, the ability of the bad actors to draw upon unlimited resources in changing their tactics “on the fly” is not without reason. Industry Response Industry experts attribute an important contribution to minimizing the impact of the attacks to sharing critical threat data in near- to real-time both within the financial services sector and between government and the private sector.21 The Financial Services Information Sharing and Analysis Center (FS-ISAC), the designated operational arm of the Financial Services Sector Coordinating Council, was particularly effective in this regard by providing a mechanism to collect threat intelligence and alert participating members with reports containing anonymized information.22 The FS-ISAC issued a fraud alert the day following the first attack and, a few days later, raised awareness in the U.S. banking industry by changing its cyber threat level from “elevated” to “high.”23 In addition, technology and DDoS mitigation service providers have also provided a significant role in releasing new tools and mechanisms to plug the holes exploited by attackers.24 Some institutions also reached out directly to the government for assistance in the response. Utilizing an established process known as “Request for Technical Assistance” (RTAs), banks reach out to their regulators who, in turn, reach out to the U.S. Treasury Department to draw upon the appropriate resources in the federal government, including the Department of Homeland Security (DHS) and the National Security Agency (NSA), to provide the requested assistance.25 It appears that at least some banks have requested support from the NSA.26 The DHS has also spoken publicly about its ability to help financial institutions to defend against DDoS attacks.27 Regulator Response On December 21, 2012, the Office of the Comptroller of the Currency (OCC), an independent bureau of the U.S. Department of the Treasury, released an alert to CEOs of all national banks, federal branches and agencies, and associated interested parties, calling for a heightened sense of awareness and offering risk mitigation information in response to this series of sophisticated DDoS attacks.28 In the alert, the OCC reiterated its expectations that financial institutions have risk management programs in place to identify evolving threats to online accounts and adjust technology safeguards appropriately.29 Further, banks are expected to ensure that an effective incident response approach with sufficient staffing is in place and proactive due diligence reviews are conducted to identify and mitigate risks imposed by potential DDoS attacks.30 The regulators also encourage participation in information-sharing organizations such as the FS-ISAC.31 Conclusion In the wake of this unprecedented variant of a traditional cybercrime attack, financial institutions of all sizes should take the opportunity to review, reexamine, improve and expand their incident response capabilities. Of course, every situation varies and there is no “one-size-fits-all” response to any incident. However, building upon lessons learned from responding to these particular attacks, institutions may want to consider: developing a structure and mechanism to intake early warning signals and integrate them into an immediate response; participating in information-sharing within the sector and with external parties (vendors, regulators and law enforcement); testing response plans to ensure that outside parties, such as DDoS mitigation service providers, are able to deliver services as planned and anticipated; building a threat/defense matrix into incident response plans for certain threats, such as DDoS attacks; and employing a layered defense with multiple tactical defense options. In addition, financial institutions may want to consider expanding their arsenal of possible responses with creative solutions, such as: cross-industry collaboration (e.g., developing joint strategies with ISPs and information technology and telecommunication providers); employing active defense technologies; exploring informal and formal (i.e., legal) mechanisms to pursue intermediaries caught in the cross-fire; and exploring informal and formal mechanisms to dismantle the bad actor infrastructure. Source: http://www.lexology.com/library/detail.aspx?g=8779273b-682d-4e76-8cf9-eacdd429c406

More:
Evolving Distributed Denial of Service (DDoS) Attacks provide the driver for financial institutions to enhance response capabilities

The multiple faces of Distributed Denial of Service (DDoS) Attacks

According to Stratecast, DDoS attacks are increasing in number by 20 per cent to 45 pc annually Google, Microsoft, Apple, PayPal, Visa, MasterCard… many of the world’s largest websites have all been victims of Distributed-Denial-of-Service (DDoS) attacks. A DDoS attack consists in having a multitude of systems attack a single target in an attempt to make its resources unavailable to its intended users. During the last decade, the number of DDoS attacks has increased and their motivations and targets have evolved. Karine de Ponteves, FortiGuard AV analyst at Fortinet, traces the evolution of these attacks. Early 2000: Into the spotlight Although we can’t be sure when the first real DDoS attack occurred, the first large-scale distributed attack (DDoS) happened in 1999, against the IRC server of the University of Minnesota. 227 systems were affected and the attack left the university’s server unusable for two days. In February 2000, many popular websites including Yahoo!, eBay, CNN and Amazon.com, were paralyzed for hours. Yahoo! suffered a loss of $500,000 during its three hours of downtime, while the volume of activity of the CNN.com site dropped by 95%. The downtime loss was huge. A 15-year old Canadian known as “Mafiaboy” was arrested and charged for the attacks. His motivation? Defiance. This teenager just wanted to show off his skills. To do so, he scanned a network to find a number of vulnerable hosts; compromised the hosts by exploiting a known vulnerability; deployed software turning the host into a “zombie”; and then propagated the attack so that each zombie would in their turn compromise new targets, following the same process. 2005: A lucrative attack In the early 2000s, in order to create a botnet to launch a DDoS attack, the hacker would have to follow the same steps as the ones used by Mafiaboy. With the advent of Internet worms, those steps became automated, enabling a hacker to trigger large-scale attacks. In August 2005, 18-year-old Farid Essabar, who had never studied computer programming, was arrested for the spread of the MyTob worm. The worm would open a backdoor on the infected MS Windows host, connecting to a remote IRC server and waiting for commands. It would self-propagate at reboot copying itself over network shares, opening the door to massive DDoS attacks with all the hosts compromised by the worm and executing the commands sent over IRC. The outbreak was covered live on CNN as the TV channel own computers network became infected. What were the intentions this time? Not to actually disrupt corporate networks, but to extort thousands of dollars from companies by threatening to target DDoS attacks to their networks. Quickly, the targeted enterprises decided to pay the extortionists rather than deal with the consequences of a DDoS attack. 2010: DDoS and hacktivism In 2010, mainstream media extensively reported high-profile DDoS attacks motivated by political or ideological issues such as the well-publicized Wikileaks/Anonymous series of incidents. That year, attackers dramatically increased attack volumes, and, launched for the first time attacks breaking the 100Gbps barrier, which represents about 22,000 times the average bandwidth of an Internet user in the U.S. in 2010. In December, Wikileaks came under intense pressure to stop publishing secret United States diplomatic cables. In response, the Anonymous group announced its support, and termed Operation Payback the series of DDoS attacks it led against Amazon, PayPal, MasterCard and Visa in retaliation of the anti-Wikileaks behavior. These attacks caused both MasterCard and Visa’s websites to be brought down on December 8th. The tool behind the Anonymous/Wikileaks attacks is called the Low Orbit Ion Cannon (LOIC). Although it was originally an open-source load-testing tool, designed to conduct stress tests for web applications, it was in that case used as a DDoS tool. 2012 and beyond: The acceleration of application-layer based attacks Although there are many different attack methods, the DDoS attacks can be generally classified into two categories: Volumetric attacks: Flood attacks saturate network bandwidth and infrastructure (e.g.: UDP, TCP SYN, ICMP). Application-layer attacks: These attacks are designed to target specific services and exhaust their resources (HTTP, DNS). Because they use less bandwidth, they are harder to detect. The ideal situation for application-layer DDoS attacks is where all other services remain intact but the webserver itself is completely inaccessible. The Slowloris software was born from this concept, and is therefore relatively very stealthy compared to most flooding tools. According to Stratecast, DDoS attacks are increasing in number by 20% to 45 pc annually, with application-based DDoS attacks increasing in the triple digits levels. The trend toward application-layer DDoS attacks is clear, and unlikely to reverse. This trend is not, however, an indication that network-layer or flow-based, volumetric attacks will cease. On the contrary, both types of attacks will combine to be more powerful. The 2012 Verizon Data Breach Investigations Report reveals that several high profile application-layer DDoS attacks hiding behind volumetric attacks were used to obscure data theft efforts, proving that multi-vector attacks are now used to hide the true target of the attack. DDoS attacks are growing in frequency and severity while, in parallel, the means to launch an attack are simplified and the availability of attacker tools increases. In addition, the complexity of these attacks is increasing due to their polymorphic nature as well as the development of new tools to obfuscate their true nature. As a result, traditional methods of detection are often useless and mitigation gets more difficult. With such evolution, it is essential that organizations revise their security posture and make sure they have the right defenses in place to be protected against DDoS attacks. Here, the main challenge is to have sufficient visibility and context to detect a wide range of attack types without slowing the flow and processing of legitimate traffic; and then to mitigate the attack in the most effective manner. A multi-layer defense strategy is thus essential to enable granular control and protection of all components that are in the critical path of online activities. Source: http://www.ciol.com/ciol/experts/174422/the-multiple-ddos-attacks/page/2

See the original article here:
The multiple faces of Distributed Denial of Service (DDoS) Attacks

Week in review: Critical Flash update, Bamital botnet takedown, and children turning into malware developers

Here's an overview of some of last week's most interesting news, reviews, articles and interviews: Federated single sign-on to dominate by 2016 A well-executed single sign-on (SSO) strategy redu…

Visit link:
Week in review: Critical Flash update, Bamital botnet takedown, and children turning into malware developers