Cyber extortion gang DD4BC is using social media campaigns to garner more attention for its
ability to create service disruptions by publicly embarrassing large organisations
The cyber criminal gang calling itself DD4BC (DDoS for bitcoin) has added a
social media component to its attacks aimed at extorting funds from businesses.
Since July 2014, the gang has been using distributed denial of service (DDoS) attacks
– or at least the threat of DDoS attacks – to extort money from a range of organisations.
“This is a very low-cost, low-risk way to make money, but organisations should
consider very carefully before paying what the attackers demand,” said Margee
Abrams, Neustar product marketing director.
“These attacks will continue as long as they are successful, but by investing in
mitigation capabilities, organisations can protect themselves as well as drive up the
cost for attackers,” she told Computer Weekly.
In recent months, the gang has increased the frequency and scope of its DDoS
extortion attempts, shifting from targeting Bitcoin exchanges to online casinos,
betting shops, retailers and – most recently – prominent financial institutions and
government organisations.
DD4BC has also adopted more aggressive measures to target brand reputation
through social media, according to a report by content delivery network services firm
Akamai Technologies.
“The latest attacks – focused primarily on the financial services industry – involved
new strategies and tactics intended to harass, extort and ultimately embarrass the
victim publicly,” said Stuart Scholly, senior vice-president and general manger of the
security division at Akamai.
From June through to July 2015, the attacks increased from low-level attacks to
attacks of up to 20 Gbps. The group would then demand a Bitcoin ransom to protect
the company from a larger DDoS attack designed to make its website inaccessible.
Since September 2014, Akamai has observed 141 confirmed DD4BC attacks against
its customers, with 114 of those taking place in the past five months. The attacks
peaked at 41 in June, tapering off to 31 in July.
The average bandwidth of the attacks has been 13.34 Gbps, with the largest DDoS
attack reported at 56.2 Gbps.
However, recent attacks have included threats to expose targeted organisations
through social media, adding to the damage caused by the DDoS attack itself.
Akamai believes the goal of these social media campaigns is to garner more
attention for the group’s ability to create service disruptions by publicly embarrassing
the target and tarnishing the company’s reputation through these wide-reaching
channels.
The group’s methodology typically includes use of multi-vector DDoS attack
campaigns, revisiting former targets and incorporating application layer DDoS in
multi-vector attacks, specifically concentrating on the WordPress pingback
vulnerability.
To help protect against extortionist group DD4BC, Akamai recommends
organisations take the following defence measures:
Deploy anomaly- and signature-based DDoS detection methods to identify
attacks before a website becomes unavailable to users.
Distribute resources to increase resiliency and avoid single points of failure due
to an attack.
Implement application layer DDoS mitigation appliances on the network in
strategic locations to reduce the threat for critical application servers.
Andrew Conway, research analyst at Cloudmark, said that while extortion threats
based on DDoS attacks are nothing new, the emergence of bitcoin as an anonymous
medium of exchange has dramatically reduced the risks for the attackers.
“Bitcoin is not a particularly convenient payment system, compared with PayPal,
credit cards or bank transfers. In fact, business for DDoS for hire services went down
dramatically when PayPal started cancelling their accounts, and they were forced to
switch to bitcoin,” he said.
According to Conway, the main uses of bitcoin are for activities that would not be
legal with conventional payments systems, such as circumvention of exchange
controls, unlicensed gambling, illegal drug purchases and – of course – extortion.
“As well as DDoS extortion, we are also seeing bitcoin blackmail demands going out
to Ashley Madison customers, and it is the standard payment system for ransomware
these days,” he said.
Conway said the fact most DDoS attacks rely on some form of amplification, or using
resources that belong to other people to send internet traffic to a target, presents an
opportunity to hamper these attacks that is often overlooked.
The most common way of creating a DDoS amplification attack is to pretend to be
the target through IP spoofing, and request the traffic from the third-party server.
“It’s fairly easy to configure the routers on a network not to allow spoofed IP
addresses to leave that network, which means DDoS attackers can’t operate from
there. However, there are still far too many networks on the internet that do not do
this. Until that particular security hole is plugged, business subject to extortion will
have to rely on DDoS protection services,” said Conway.
http://www.computerweekly.com/news/4500253322/DD4BCcyberextortiongangaddssocialmediatoarsenal 4/7