DDoS Attacks: First Signs of Fraud?
Researcher: Attackers' Goal May be Account TakeoverWith high-profile denial-of-service attacks impacting several leading U.S. financial institutions, banks and credit unions are re-evaluating their modes of prevention and defense.
In fact, Mike Smith, a security evangelist and DDoS specialist at Web security provider Akamai, says recent attacks, including two separate campaigns against Capital One, prove DDoS attacks will continue to plague organizations of all kind.
First, Smith says organizations need to determine the minimum functionality of their websites that they need to have operational. "Maybe you need to give people a low-size page instead of the full page with mash-ups, JavaScript and client-site controls," he says during an interview with BankInfoSecurity's Tracy Kitten [transcript below].
When under attack, that smaller webpage should be up and operational, served in a different location outside of an organization's infrastructure, Smith emphasizes.
Organizations, banking institutions in particular, also should build relationships with service providers and focus on how they can interact with customers or members in the event of a site outage. For banks and credit unions, that could mean focusing on phone banking, "calling in and going through the phone tree to find out your account balance," he says. "It's kind of antiquated now, but it still works if the website is down."
Overall, Smith says, preparation is about "looking at things and taking more of a continuity of operations, combined with customer satisfaction. How are you going to keep those two things going even though the website is down?"
During this interview, Smith discusses:
- Three basic steps all organizations should take to mitigate DDoS risks;
- Why banking institutions should ensure that backup banking channels, like the call center, are prepared to handle increased traffic when online banking sites go down; and
- Why addressing DDoS threats will require increased budgetary commitments and investments.
At Akamai, Smith is the company's customer-facing ambassador from the Information Security Team. He serves as a liaison between security, sales, product management, compliance, engineering, professional services and marketing. Before joining Akamai, Smith served as an embedded security engineer, a security officer and a security assessment team lead for various companies. He is an adjunct professor for Carnegie Mellon University and teaches through the non-profit Potomac Forum.
Analyzing DDoS Attacks
TRACY KITTEN: What can you tell us about the attacks that you've reviewed?
MIKE SMITH: We've received some of these attacks on behalf of our customers. It looks like, for the most part, they're fairly large. We're seeing about 65 gigabits per second per attack, which is interesting. Also, something that's interesting to us is the fact that the attacks are using compromised servers simply because they have more bandwidth. When I'm looking at these particular sets of attacks, they're primarily against financial institutions. There were a couple of technology companies that got hit early on, prior to the 18th, and it looks like the attackers are using multiple techniques. They'll vary the technique that they're using to see what they can be effective with, but for the most part it's a very, very intense campaign, a shorter duration, and then they're onto the next target.
KITTEN: Beyond what you've already noted, what would you say is unique about these attacks?
SMITH: Usually when you have a denial-of-service attack or a distributed denial-of-service attack, the common technique is to use multiple desktop computers running some kind of malware. You take control of these computers usually by e-mail or some kind of spam techniques, or phishing techniques, to get a piece of malware on top of these desktops. The attackers now have changed their techniques to target servers simply because of the larger amount of bandwidth. What that means is that their command and control is drastically simplified and whenever a node is attrited from their botnet - for instance, a hosting provider that cleans up that particular node that has been compromised - they can go in and rapidly replenish their attacking nodes as they're taken down. This gives the attackers great flexibility and, at the same time, because they have a smaller number of attacking nodes, they can retarget or change techniques fairly rapidly, where if you have say 30,000 home computers hooked up in a Botnet, there's a little bit of a curve. You can actually see, as they retarget, there's a transition period where the individual computers will roll off the old target and start rolling onto the new target.
KITTEN: What seems to be standing out about these attacks?
SMITH: Last year there was a campaign that was interesting -- fraudsters were using Zeus in combination with DDoS attacks. You can see where there was an increase in DDoS activity against banks and account takeover of small to medium-size business online banking accounts using Zeus. What the attackers would do is they would take over desktop computers. They transferred money out of that account for the small business. They could usually get $100,000 to $200,000 - maybe a little bit more - and then they would DDoS the bank to slow down the bank's response.
That's interesting. That lasted from about November all the way through until March when there was a large raid in Pennsylvania and Illinois and suddenly that attack traffic stopped. Then there was a quiet period. Now, all of a sudden, we have on the 17th of September a fraud alert from the Financial Services ISAC saying there has been an increase in bank employee account takeovers and then on the 18th the attack started.
Copycat Threat
KITTEN: Is there concern about copycats and claims posted on Pastebin?
SMITH: Sure, that's always a problem with Pastebin, in that anybody can go to Pastebin and post anomalously. What you'll see are copycats, and I personally haven't seen any of those. I don't think it's a problem yet, but in the last message the attackers - if the posting came from them - have some kind of weird mathematical equation and a personal message to Leon Panetta. There was another series of posts that we've seen that are various math equations, and my gut instinct is to think that these are copycats or [they're] making fun of the attackers and their strange math, but that's the problem. Anybody can go paste something on Pastebin. When you receive a new message, you don't know if it's the attackers or if it's somebody pretending to be the attackers or if it's somebody that wants to do the same kind of attacks as the attackers and they have some other method to attack. It really just kind of diffuses what it is that you're looking at in trying to find these folks.
Linking Past and Present Attacks
KITTEN: Do you think there's a link between what we're seeing now and previous attacks that were waged ultimately for account takeover?
SMITH: "Link" is an interesting word. I think there's something in common there, but I think it's more along the lines of the same techniques, or the same overall strategy is a good way to say it, in that the attackers are using DDoS to slow down the financial services response to the real issue, which is the fraud.
I think it's the same technique. However, looking at the capabilities of the attackers, the folks that were launching attacks last winter and spring, they were fairly good at taking over desktops. Whereas the folks that are attacking now are looking at compromising the servers and it's a different skills set. If you're putting Zeus on desktops, you're the malware guys. You're good at negotiating Windows operating systems and the controls on Windows operating systems. Where these folks, in order to conduct the attacks that they're doing, you have to be a reasonably okay web application security person who can go in and compromise web applications to stick your tools on there.
Attacks on CapOne
KITTEN: Why do you think CapOne was hit for a second time?
SMITH: Assuming, as we have been, that the attackers are doing this for fraud, they're looking for targets that have money and that they actually have a footprint on bank employees' desktops. When you look at it from the attackers' standpoint, you're looking at where can I get the maximum amount of return on my effort in dollars, and so what you're looking at is what institutions do I actually [have] the better footprint with those bank employees where if I attack them and run my fraud scam, I will actually get more money out of it. If you look at it, there's kind of a business cycle that the attackers will go through. They'll have say spear phishing, wait a couple of days and see which organizations they now have a bigger better footprint in and what access they have, and then they'll decide who they want to attack.
What's interesting to me is that the attackers put up their message but they didn't name any institutions like they have been. That leads me to believe that possibly they're going to keep people guessing because they want attention on all financial service institutions, or it could be that they're focusing on a couple but they're doing repeats and so they don't want the organizations to use lessons that they've learned already from fighting these folks. The first attack is always the worst in that you're not expecting it, but following and subsequent attacks, you at least have relationships with your service providers, you have the lessons learned inside your organizations between your operation folks and your security folks, and you can actually execute on defending against a DDoS because you've already done it in the past, say, three weeks.
DDoS Used for Fraud?
KITTEN: Do you think that these attacks are being waged to perpetrate fraud?
SMITH: That's what the indicators tell me. We saw this a year ago and you almost never throw 65 gigabits of traffic at a financial services institute just to make your point, because when you do that you expose the nodes that you've compromised, or in this case the servers that you've compromised, and so people will go clean those up. As an attacker, you will harvest points of presence in places, save it up until you're ready to attack with the real attack, and then you'll throw that DDoS out there to delay the response. I've heard people refer to this as a distraction, which is partially true. I think it's more of a delaying tactic. A distraction is, "Hey, don't notice that over there." I think of it as a delaying tactic which is occupying the resources so that they don't have time to deal with the real threat.
KITTEN: Do you think we can expect to see other banks, such as Bank of America and Chase, hit for a second time?
SMITH: I think that's a fairly safe assumption; although sometimes [with] the attackers, I don't know necessarily 100 percent of what they're thinking. The attackers will go where they have a footprint and where there's money, so that indicates they'll probably go after additional organizations or they might completely vary things up if they feel that the organization has good enough defenses to actually defeat either one of the attacks, either the fraud or the DDoS.
DDoS Detection, Prevention
KITTEN: What would you say is the biggest mistake most institutions make when it comes to DDoS detection and prevention?
SMITH: I don't think anybody is making mistakes. A lot of folks are grabbing threat intelligence out there: what's the size of the attacks; what techniques do people use; even proactively monitoring things like Pastebin which hacktivists use for messages. The attackers are using Pastebin for messages. Monitoring these things and knowing when an attack is coming is actually more valuable, because most large financial services - in fact I think all of them - have relationships with DDoS protection service providers, but the problem is you don't keep those turned on all the time. What you do is you wait until you receive an attack, or you have an indicator of an attack, and then you flip the traffic to a scrubbing service or a mitigation provider or something like that.
You're a bank. When your website is down, it's a customer satisfaction issue. Your call-center volume increases. Your branch office visits increase, but there's not a direct monetary impact. There are a lot of annoyances. You might have a little bit of customer churn, but you know primarily the money is in the bank and the money is still safe. It's just that customer satisfaction goes down. When you look at what's the actual impact of, say, a one-day DDoS on a bank, it's not a lot. Maybe [there's] some brand damage, but it's not a severe impact to the bank versus the fraud, which according to the FS-ISAC alert the fraudsters are getting $400,000 to $900,000 per fraud incident. That's a significant impact. How likely is a large DDoS to occur? [It's a] fairly moderate to low impact, a fairly moderate rate of occurrence, and so DDoS protection becomes a lower priority where you're willing to maybe take an outage for four hours. That's fairly acceptable, but you're not necessarily willing to take a hit for a million dollars in a fraud transaction.
Biggest Worries
KITTEN: What would you say institutions' biggest worry is going forward?
SMITH: I think what the attackers are doing is focusing on the operations teams, the security teams, and the fraud detection and mitigation teams because they have limited personnel resources. When you hit these folks, you can only deal with so many crises at a time. When it comes to something like, "Do we kick the fraudsters out or do we detect the malware, or do we restore service to our site," it's not a good situation to be in. There's this worry there that if there's an extended campaign and you get hit multiple times in say a week or multiple times in a month even, that it wears out your staff, and it's not like you can just turn around and say, "I need another infosec person who's good at these things," and you can hire them and then tomorrow they'll be effective in their job. There's lead time in there. The attackers are focusing on doing a denial-of-staff attack versus the actual IT piece that's going on.
Technology Solutions
KITTEN: Where does technology and staff come into the fold?
SMITH: There are three basic ways to mitigate a DDoS. One of those is appliances. You put them inside the data center. They look for patterns. They're really good at application-level attacks. Think of them as IDS or web application firewalls that have rule sets specific to denial-of-service. And they're really good at that, but they're inside the data center so the pipes into the data center get saturated with packets and then they can't even see the attacks so they can't help you, but they're really good for small attacks and subtle attacks.
The service providers that offer mitigation services - they're scrubbers - you take your traffic during an attack and route it through their scrubbing service, and they have lots of resources there. Then there's something like what we do, which is we operate a large distributed reverse web-proxy where a lot of attacks just get dropped at the door because they're not proxy safe. We don't push them back. There are these three basic ways to do it. Almost always for large attacks you need a service provider to help mitigate that. That's why folks go out. They have relationships with their ISPs, with the pure-place scrubbing centers.
I think there a couple of things that we could focus on. One is, what's the minimum functionality of your site that you need to have operational? Maybe you need to give people a low-size page instead of the full page with mash-ups, JavaScript and client-site controls and things like that, but push out that smaller page to the user so that they know that the website is up and operational. And serve that from someplace else. Don't serve it from inside of your infrastructure. There are some things out there for preparation as far as building relationships with service providers, having a fail-over to a smaller page that's hosted outside, focusing on what your core business is, and assuming that if the website is down, how are your customers going to get in touch with you? That's why it may be phone banking - calling in and going through the phone tree to find out your account balance. It's kind of queued and antiquated now, but it still works if the website is down. [It's about] looking at things like that and taking more of a continuity of operations combined with customer satisfaction. How are you going to keep those two things going even though the website is down?
KITTEN: What can expect to see?
SMITH: There was a point about five years ago when I talked to financial services institutions and we talked about denial-of-service, and almost always the answer was the attackers will never do a denial-of-service against us because they need us to be up so they can attack us and actually steal things. I think that time has changed. I think the attackers have evolved. Information security is almost an arms race where you have maneuver followed by countered maneuver, followed by countered-countered maneuver, and we just keep escalating our response to each other, and I think in this case the attackers have actually accelerated their maneuvers into doing DDoS. It has become a very viable threat over the past two years.