The Izz ad-Din al-Qassam Cyber Fighters launched a series of attacks in the fall, notably compromising the websites of JP Morgan Chase and Bank of America in protest of the continued availability of the anti-Muslim YouTube video, 'the Innocence of Muslims.' Now, it warns that those two institutions, plus US Bancorp, PNC Financial Services Group and SunTrust, are all in the cyber-crosshairs for the next wave. And indeed, low-level attacks are already being observed, according to Arbor Networks.
"In new phase, the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks," the hacking collective said in a statement posted on Pastebin.
Researchers at Arbor Networks note that the DDoS atatcks are typically carried out via bots and insecure websites—and the new attacks have been carried out in a slightly more sophisticated manner than the earlier campaigns.
In the case of the September 2012 DDoS attack series, many compromised PHP Web applications were used as bots in the attacks, the company’s analysis uncovered. Additionally, many WordPress sites, often using the out-of-date TimThumb plugin, were being compromised around the same time. Joomla and other PHP-based applications were also compromised. “On December 11, 2012, attacks on several of these victims were observed,” Arbor added. “Some attacks looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2.”
Notably, these attacks are known quantities. "During the months of September and October we witnessed targeted and very serious DDoS attacks against U.S. based financial institutions,” said the company in a blog. “They were very much premeditated, focused, advertised before the fact and executed to the letter.”
Unmaintained sites running out-of-date extensions are easy targets, of course. “The attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools,” Arbor said. “Attackers connect to the compromised webservers hosting the tools directly or through intermediate servers/proxies/scripts and issue attack commands.”
These attacks have shown why DDoS continues to be such a popular and effective attack vector, added Arbor. “Yes, DDoS can take the form of very large attacks,” it noted. “In fact, some of this week’s attacks have been as large as 60Gbps. What makes these attacks so significant is not their size, but the fact that the attacks are quite focused, part of an ongoing campaign, and like most DDoS attacks quite public. These attacks utilize multiple targets, from network infrastructure to web applications.”