Akamai Diversity

The Akamai Blog

DDoS Attacks Used As Cover For Other Crimes

Protecting customers from DDoS attacks is an Akamai InfoSec specialty. When we see DDoS attempts against our customers, the typical thinking is that someone is doing it to force sites into downtime, which can cost a business millions in lost online sales. 

But sometimes, these attacks are simply a cover operation to distract the victim while something else is going on. 

A story that caught our attention in SC Magazine and elsewhere drives home the point. The article, published Wednesday, explains how the bad guys have stolen millions from U.S. banks while distracting the victims with DDoS activity. From the article:

Criminals have recently hijacked the wire payment switch at several US banks to steal millions from accounts, a security analyst says. Gartner vice president Avivah Litan said at least three banks were struck in the past few months using "low-powered" distributed denial-of-service (DDoS) attacks meant to divert the attention and resources of banks away from fraudulent wire transfers simultaneously occurring. The loses "added up to millions [lost] across the three banks," she said. "It was a stealth, low-powered DDoS attack, meaning it wasn't something that knocked their website down for hours."

The story has gotten the attention of other publications as well. From CNet's article on the subject:

Security researchers have previously highlighted the growing trend of using DDoS attacks to hide fraudulent activity at banks. Dell SecureWorks Counter Threat Unit issued a report (PDF) in April that warned that a popular DDoS toolkit called Dirt Jumper was being used to divert bank employees' attention from attempted fraudulent wire transfers of up to $2.1 million.

Though Litan's write-up on the Gartner website has generated a lot of fresh attention, these kinds of attacks aren't all that new. Nearly a year ago, the threat was outlined in a joint paper from the FBI, Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Internet Crime Complaint Center (IC3). The Sept. 17, 2012 alert said, among other things:

Recent FBI reporting indicates a new trend in which cyber criminal actors are using spam and phishing e-mails, keystroke loggers, and Remote Access Trojans (RAT) to compromise financial institution networks and obtain employee login credentials. The stolen credentials were used to initiate unauthorized wire transfers overseas. The wire transfer amounts have varied between $400,000 and $900,000, and, in at least one case, the actor(s) raised the wire transfer limit on the customer's account to allow for a larger transfer. In most of the identified wire transfer failures, the actor(s) were only unsuccessful because they entered the intended account information incorrectly.

Litan offered some additional advice:

"One rule that banks should institute is to slow down the money transfer system while under a DDoS attack," she wrote. "More generally, a layered fraud prevention and security approach is warranted."

Below: This graphic, from the latest Akamai State of the Internet report, shows which sectors are most impacted by DDoS attacks. 

Figure 05 Q1 2013.jpg