According to Information Week, Arbor Networks studied the serious distributed denial-of-service attacks aimed at United States banks. These attacks began in September of 2012. The hackers compromised numerous PHP web applications, such as Joomla, and also hacked into WordPress sites that used an older version of the TimThumb plug-in.
Once the hackers got into the PHP-based websites, they inserted toolkits to turn them into launch pads for their distributed denial-of-service attacks. Hackers then launched the attacks on banks by connecting directly to the compromised PHP-based websites and sending them commands, or took advantage of intermediate servers, proxies or scripts to make the websites do their bidding. InformationWeek lists three attack tools used by the hackers: KamiKaze, AMOS, and the “itsokaynoproblembro” toolkit, also known as Brobot.
Financial websites affected by the attack included Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. The Izz ad-Din al-Qassam Cyber Fighters hacker group claimed credit for the attacks. They paused in October, but this month stated that they would start a new wave of attacks. Arbor Networks posted on its blog this quote from the group, which revealed its next targets: “Contually, the goals under attacks of this week are including: U.S. Bancorp, JPMorgan Chase&co, Bank of America, PNC Financial Services Group, SunTrust Banks, Inc.”
Importantly, Arbor Networks noted a certain amount of evolution in the hacking group’s approach. “On December 11, 2012, attacks on several of these victims were observed,” the security firm related on its blog. “Some attacks looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2.” InformationWeek reported that at least one of the hacking group’s targets confirmed via e-mail that its bank’s website had been experiencing “an unusual volume of electronic traffic at our Internet connection,” but would not state whether the traffic was the result of distributed denial-of-service attacks.
As website administrators, what can we learn from these attacks? “Unmaintained sites running out-of-date extensions are easy targets,” Arbor Networks observed, and hackers will take “full advantage of this to upload various PHP webshells…to further deploy attack tools.” Administrators should check the websites under their care regularly to make sure that their PHP applications and plug-ins are neither outdated nor unsecured.
Such security-conscious behavior will help to prevent more than just distributed denial-of-service attacks. If a hacker can break into a PHP-based website to use it as a staging area for an attack on a different website, they can also use that website to store stolen information. InformationWeek cited the example of the Eurograbber attack campaign, revealed earlier this month. The gang involved in that campaign stole $47 million from more than 30,000 corporate and private banking customers – and used PHP-based websites into which they hacked to store stolen information. “Using drop zones – as a kind of criminal Dropbox – helps attackers better cover their tracks and evade security defenses,” InformationWeek explained.
So do make sure your website’s applications, extensions, and plug-ins are up-to-date. By doing so, you can help to prevent your company from being victimized by hackers in all sorts of ways. Good luck!