Anatomy of an attack: Using Twitter to launch denial-of-service attacks against banks

November 30th, 2015

By Byron Acohido

(Editor’s note: This actual snapshot of a cutting-edge Distributed Denial of Service attack was discovered by analysts at security vendor Digital Shadows, which provides cyber situational awareness to its SMB and enterprise customers. Digital Shadows’ CTO James Chappell shared this detailed intelligence with LastWatchdog. In the accompanying video, F5 cybersecurity evangelist David Holmes outlines the ongoing evolution of DDoS attacks. )

Core finding: In 2012 and 2013, a hacktivist group called Izz ad-Din al-Qassam Cyber Fighters profoundly disrupted a who’s who list of giant U.S. financial services companies. Claiming to be exacting retribution for a slight against the prophet Muhammad, the Cyber Fighters orchestrated denial-of-service attacks that knocked down major banking websites for days at a time.

Today, a hacktivist group, known as Anon Saudi, continues to regularly conduct smaller-scale denial-of-service attacks, targeting financial services companies for a variety of ideological reasons. In one recent instance, a large British bank that does business globally, learned that it had turned up on a list of banking sites targeted for an Anon Saudi DDoS campaign. Forewarned, the bank was then able to repel the attack.

Attack vector: Anon Saudi used Twitter to foment ideological ire against the financial companies on the target list. Once a certain level of unrest was achieved, the group issued a link to a website with details of when and how volunteers should use their personal computing devices to bombard the targeted websites with nuisance requests.

Distinctive technique: This was to be a “slow HTTP attack.” Each volunteer was instructed to initiate nuisance requests to the targeted webpages in such a way as to keep the page open for a long period of time, delaying or cutting off requests from legitimate customers.

Wider implications: The financial services sector has spent billions since the Izz ad-Din onslaught in 2012-13 to shore up defenses. Yet ideological hacktivist campaigns persist, albeit on a smaller scale. Hactivists have adapted to using Twitter as a very effective DDoS campaign tool—for recruiting volunteers and coordinating attacks. Banks must factor in defensive measures as a cost of doing business.

Excerpts from ThirdCertainty’s interview with Chappell. (Answers edited for length and clarity.)

LastWatchdog: Your technology monitors Twitter chatter. What happened in this case?

Chappell: We observed Anon Saudi going through a process of making other folks on Twitter aware of what they were planning to do and inviting them to participate. It’s a way of amplifying dialogue online prior to an attack. Our client turned up on a list, and we had seen a number of other similar instances like this one, where you could expect an attack to evolve.

 LastWatchdog: You see this type of thing all the time?

Chappell: Yes. Twitter has developed a whole culture around attacks. One of the things you see quite often is the use of hash tags that have ‘OP’ and the name of the campaign. It’s becoming its own thing on Twitter. You can find OP Saudi, OP Petrol, OP Turkey, OP Brazil, OP Myanmar, a whole range of different campaigns. This has become lingua franca for a call to action.

So we watched some of the discussion, we looked at the people who were commenting and encouraging others to participate, and at the volume of discussion. That’s usually quite a good indicator, it gives you some sense of the scale.

LastWatchdog: What are some of the standard defenses banks are using?

Chappell: There are quite a few anti-DDoS mitigation tools, and the companies that provide those services really benefit from knowing in advance what kind of traffic might be received. Companies like CloudFlare, Incapsula, Black Lotus, Radware and Akamai operate what they call scrubbing sensors. The idea is they filter out different types of traffic allowing just the legitimate traffic through.

We looked at some of Anon Saudi’s previous attacks and said to the client, ‘Look, we think this type of traffic is going to be received by your Web server.’ And that enabled them to prepare in advance to ensure their resources remained available for their clients.

LastWatchdog: Has it reached the point where this is a routine cost of doing business?

Chappell: It really is a cost of doing business now for larger institutions. The Izz al-Din Cyber Fighters’ campaigns changed a lot of people’s attitudes to this. It showed that DDoS attacks could be quite effective and a lot of other groups jumped on the bandwagon at that point.

Banks realized how many services have moved online, and customers realized not being able to access their bank was a pretty serious issue. So banks have invested in the technologies, with a range of success.

LastWatchdogWhat about smaller financial services companies, community banks and credit unions?

Chappell: We’ve seen a few of the smaller institutions targeted. It’s usually where there is some investment in a particular project, or they’ve associated themselves with something that comes under attack. Sometimes they just look like easy targets; we have seen that. But it’s sporadic. It’s difficult to recommend that if you’re smaller institution, you should invest heavily in anti-DDoS technologies.

LastWatchdog: So what should local banks and credit unions do?

Chappell: It’s worth being prepared. Have a chosen supplier on hand, so that you can react very quickly in the event an issue is detected. And have budget set aside, so that, should an event occur, you can cover the cost of increased bandwidth and the cost of bringing a protection provider online very quickly.

LastWatchdog: It comes down to assessing risk and preparing for the worst?

Chappell: If I were a small bank, I’d look at what countries I’m doing business in, because that, interestingly, is an indicator as to the extent to which my services might be targeted. I’d make sure I’m getting the basics right. So just make sure my Web servers are patched; make sure that my infrastructure is well-monitored. And I’d have an incident response plan, so I’m able to respond quickly in the event that an attack did take place.