Ransomware demands are working, fueling an increase in attacks

Infoblox DNS Threat Index finds criminals are creating more ransomware-domains than ever, and predicts a continuing increase in attacks as more criminals rush to cash in. 

 

Emboldened by the wave of successful ransomware attacks in early 2016, more cybercriminals are rushing to take advantage of this lucrative crime spree.

Networking company Infoblox’s quarterly threat index shows cybercriminals have been busy in the first quarter of 2016 creating new domains and subdomains and hijacking legitimate ones to build up their ransomware operations.

The number of domains serving up ransomware increased 35-fold in the first three months of 2016 compared to the end of 2015, according to the latest Infoblox DNS Threat Index. The index doesn’t measure actual attack volumes but observes malicious infrastructure — the domains used in individual campaigns. Criminals are constantly creating new domains and subdomains to stay ahead of blacklists and other security filters. The fact that the attack infrastructure for ransomware is growing is a good indicator that more cybercriminals are shifting their energies to these operations.

“There is an old adage that success begets success, and it seems to apply to malware as in any other corner of life,” Infoblox researchers wrote in the report.

The threat index hit an all-time high of 137 in the first quarter of 2016, compared to 128 in fourth quarter 2015. While there was a lot of activity creating infrastructure for all types of attacks, including malware, exploit kits, phishing, distributed denial-of-service, and data exfiltration, the explosion of ransomware-specific domains helped propel the overall threat index higher, Infoblox said in its report. Ransomware-related domains, which include those hosting the actual download and those that act as command-and-control servers for infected machines, accounted for 60 percent of the entire malware category.

“Again in simple terms: Ransomware is working,” the report said.

Instead of targeting consumers and small businesses in “small-dollar heists,” cybercriminals are shifting toward “industrial-scale, big-money” attacks on commercial entities, said Rod Rasmussen, vice president of cybersecurity at Infoblox. Cybercriminals don’t need to infect several victims for $500 each if a single hospital can net them $17,000 in bitcoin, for example.

The latest estimates from the FBI show ransomware cost victims $209 million in the first quarter of 2016, compared to $24 million for all of 2015. That doesn’t cover only the ransoms paid out — it also includes costs of downtime, the time required to clean off the infection, and resources spent recovering systems from backup.

Toward the end of 2015, Infoblox researchers observed that cybercriminals appeared to have abandoned the “plant/harvest cycle,” where they spent a few months building up the attack infrastructure, then a few months reaping the rewards before starting all over again. That seems to be the case in 2016, as there was no meaningful lull in newly created threats and new threats — such as ransomware — jumped to new highs. The harvest period seems to be less and less necessary, as criminals get more efficient shifting from task to task, from creating domains, hijacking legitimate domains, creating and distributing malware, stealing data, and generally causing harm to their victims.

 

“Unfortunately, these elevated threat levels are probably with us for the foreseeable future — it’s only the nature of the threat that will change from quarter to quarter,” Infoblox wrote.

Ransomware may be the fastest-growing segment of attacks, but it still accounts for a small piece of the overall attack infrastructure. Exploit kits remain the biggest threat, accounting for more than 50 percent of the overall index, with Angler leading the way. Angler is the toolkit commonly used in malvertising attacks, where malicious advertisements are injected into third-party advertising networks and victims are compromised by navigating to websites displaying those ads. Neutrino is also gaining popularity among cybercriminals. However, the lines are blurring as Neutrino is jumping into ransomware, as recent campaigns delivered ransomware, such as Locky, Teslacrypt, Cryptolocker2, and Kovter, to victims.

Recently, multiple reports have touted ransomware’s rapid growth, but what gets lost is that ransomware isn’t the most prevalent threat facing enterprises today. Organizations are more likely to see phishing attacks, exploit kits, and other types of malware, such as backdoors, Trojans, and keyloggers. Note Microsoft’s recent research, which noted that in 2015, ransomware accounted for less than 1 percent of malware. The encounter rate for ransomware jumped 50 percent over the second half of 2015, but that is going from 0.26 percent of attacks to 0.4 percent. Even if there are 35 times more attacks in 2016, that’s still a relatively small number compared to all other attacks.

The good news is that staying ahead of ransomware requires the same steps as basic malware prevention: tightening security measures, keeping software up-to-date, and maintaining clean backups.

“Unless and until companies figure out how to guard against ransomware — and certainly not reward the attack — we expect it to continue its successful run,” warned the report.

 

Source:  http://www.infoworld.com/article/3077859/security/ransomware-demands-are-working-fueling-an-increase-in-attacks.html

HACKERS TARGET CZECH REPUBLIC GOV’T SITES OVER PLANS TO BLOCK GAMBLING DOMAINS

Hackers have attacked Czech Republic government websites to protest the country’s decision to block the domains of unauthorized online gambling operators.

Last week, the Czech senate overwhelmingly approved the country’s new gambling legislation, which would open up the market to international online operators for the first time, while imposing blocks on the domains of sites not holding a Czech license.

On Tuesday, Novinky.cz reported that the Senate’s official website Senat.cz had been knocked offline Monday night following a distributed denial of service (DDoS) attack by someone claiming to be associated with the Anonymous hackers collective.

An English-language statement accompanying the attack claimed that the Senate’s website had been targeted “because you passed a law to prevent free access to the Internet.” The statement warned that this wasn’t the last time the government would hear from the hackers on this issue.

The Czech News Agency reported that the attack also affected websites belonging to the Interior Ministry and its affiliated police and firefighters’ organizations, as well as the Social Democratic Party (CSSD), which holds a majority in the Czech parliament.

A CSSD spokesman dismissed the disruption as “no massive, dangerous or successful attack,” while claiming that the average visitor to the party’s website wouldn’t have noticed anything was amiss.

The Interior Ministry brushed off the “unsuccessful attempts” at public disruption, saying they’d managed to restore their website’s functionality within a few hours. The ministry said its information systems weren’t affected and steps were being taken to ensure defenses were in place against future attacks.

The Canadian province of Quebec may wish to take similar precautions. Last month, the province approved the Ministry of Finance’s proposal to block unauthorized gambling sites in a bid to bolster the bottom line of EspaceJeux, the online gambling site of provincial gaming monopoly Loto-Quebec.

Loto-Quebec’s plans, which have no precedent in Canada, have been condemned by free-speech advocates, who wonder what other types of websites might be next on the province’s blacklist.

 

Source:  http://calvinayre.com/2016/06/01/business/hackers-target-czech-republic-plans-gambling-domains/

Anonymous Announces #OpSilence, Month-Long Attacks on Mainstream Media

Members of the Ghost Squad Hackers team, one of most active Anonymous sub-divisions, have carried out DDoS attacks on CNN and FOX News as part of a new hacktivism campaign.

Called OpSilence, the campaign’s goal is to attack all mainstream media that fails to report on the Palestine war or the true crimes happening in Syria, one of the hackers told Mic.

#OpSilence will take place during the entire month of June 2016

The operation will be run similarly to #OpIcarus, a month-long series of attacks that took place in the month of May against various banks around the world.

Any hacktivism group is welcomed to join, and the campaign comes on the heels of OpIcarus, which just ended yesterday.

Ghost Squad Hackers didn’t wait for June to start to begin their attacks, and they’ve already hit the email servers of FOX News and CNN. The group has been changing tactics lately, switching from DDoSing public websites to attacking mail servers, as they did most recently against the Bank of England.

Other hackers have taken a pro-Palestine stance before

Taking a pro-Palestine stance isn’t something strange for hackers, many others supporting this cause as well. The previous group that did so was CWA (Crackas With Attitude), whose hacked targets include CIA Director John Brennan’s personal AOL email account, FBI Deputy Director Mark Giuliano, US National Intelligence Director James Clapper, and President Barack Obama’s Senior Advisor on science and technology John Holdren.

The group is also responsible for hacking the JABS US national arrests database. They also leaked details for 2,400 US government officials, 80 Miami police officers, 9,000 DHS employees, and 20,000 FBI staffers.

Back in February, the group’s leader, a sixteen-year-old boy, was arrested in East Midlands, England.

External Source: http://www.ddosattacks.net/anonymous-announces-opsilence-month-long-attacks-on-mainstream-media/

 

Internal source:  http://news.softpedia.com/news/anonymous-announces-opsilence-month-long-attacks-on-mainstream-media-504760.shtml

U.S. Spending Heavily to Counter Deadly DDoS Cyber Attacks by Foreign Foes

The U.S. Defense Advanced Research Projects Agency (DARPA) is spending heavily to automate the cyber defense responses of the U.S. military to counter distributed denial-of-service (DDoS) attacks that are widely expected to precede a limited armed conflict or a full-scale war with another nation.

DARPA’s answer to this deadly threat is Extreme DDoS Defense or XD3. This program will alter the way the military protects its networks from high- and low-speed DDoS attacks. The general public and private business firms will also benefit from this program.

A DDoS attack occurs when multiple systems flood the bandwidth or resources of a targeted system such as the Pentagon’s using one or more web servers. These attacks are difficult to thwart since multiple machines are used to overwhelm a target. It’s also difficult to deal with since responses to DDoS attacks are usually delayed and manually driven.

Over the past seven months, DARPA has awarded seven XD3 multi-million dollar contracts to Georgia Tech, George Mason University, Invincea Labs, Raytheon BBN, Vencore Labs and the University of Pennsylvania.

DARPA said the nature of DDoS attacks span a wide range. Botnet-induced volumetric attacks, which can generate hundreds of gigabits per second of malicious traffic, are perhaps the best-known form of DDoS.

“However, low-volume DDoS attacks can be even more pernicious and problematic from a defensive standpoint. Such attacks target specific applications, protocols or state-machine behaviors while relying on traffic sparseness (or seemingly innocuous message transmission) to evade traditional intrusion-detection techniques.”

DARPA noted the current art in DDoS defense generally relies on combinations of network-based filtering, traffic diversion and “scrubbing” or replication of stored data (or the logical points of connectivity used to access the data) to dilute volumetric attacks and provide diverse access for legitimate users.

It said these approaches fall well short of desired capabilities in terms of response times and the ability to identify and to thwart low-volume DDoS. Current methods also don’t have the ability to stop DDoS within encrypted traffic. There is also the need to defend real-time transactional services such as those associated with and military command and control.

DARPA laments that responses to DDoS attacks are too slow and manually driven.

Diagnosis and formulation of filtering rules often take hours to formulate and execute. This means a clear need exists for fundamentally new DDoS defenses with far greater resilience to DDoS attacks across a broader range of contexts, than existing approaches or evolutionary extensions.

Source: http://www.chinatopix.com/articles/88761/20160526/u-s-spending-heavily-counter-deadly-ddos-cyber-attacks.htm

 

Anonymous Goes After Florida Gov. Rick Scott for Polluting the Gulf of Mexico

A member of the Anonymous hacker collective has uploaded a video online requesting the impeachment and immediate resignation of Florida Governor Rick Scott.

In videos posted first on Facebook and then on YouTube, the group launches accusations of corruption and complacency when it comes to the state’s dangerous situation regarding its polluted waters slowly dripping into the Atlantic.

The group specifically outlines the case of Lake Okeechobee, whose waters have slowly trickled into the Gulf of Mexico.

“This water could have easily been sent south to the Everglades, but is his greed for big sugar and the land deals to line his pockets,” the hacker group explains in its video.

Further, the group also brings accusations of Governor Scott protecting the state’s corrupt politicians and manipulating the judicial system with the help Pam Bondi, Florida’s Attorney General.

The Anonymous video also reminds everyone that Governor Scott was previously declared guilty of Medicaid fraud.

Anonymous’ ongoing war with the political class

This is neither the first nor the last time when Anonymous goes after political figures, in the US or other countries. Previously, the group issued similar threats against Donald Trump, Ted Cruz, and Denver Mayor Michael Hancock.

Unlike the case of Mayor Hancock, this time, the hacker group hasn’t provided any shred of evidence for their accusations. In most of these cases, the group only launched small DDoS attacks against public institutions or the target’s personal websites.

Long gone are the days when Anonymous would leak sensitive documents to support their claims.

In 2014, Anonymous had another run-in with the state of Florida, when the group targeted the city of Four Lauderdale because of its treatment of the homeless. In 2011, Anonymous also brought down government sites in Orlando, after the city started arresting people giving food to groups of homeless people larger than 25.

 

Source:  http://news.softpedia.com/news/anonymous-goes-after-florida-gov-rick-scott-for-polluting-the-gulf-of-mexico-504445.shtml

A new botnet has been discovered that takes login credentials

A new botnet has been discovered that takes login credentials from a less-secure site and tests them on banking and financial transactions sites, leaving users who reuse the same password across sites vulnerable to attack.

Internet security firm ThreatMetrix described the botnet in its Cybercrime Report covering the first quarter of 2016. In it, its said that botnet attacks have evolved from large-scale distributed denial of service (DDoS) attacks to low-and-slow attacks which are more difficult to detect. Rather than taking down a site or server, the new botnets mimic trusted customer behavior and logins to access accounts.

The new bots get customer login information from a lower-security site: one with ‘modest sign-up requirements’ for the creation of username/password combinations. The botnets take a list of user credentials from the dark web and run ‘massive credentialing sessions’ on lower-security sites. Often sites that provide content, like Netflix or Spotify, will be targeted for the first phase of attack as they have millions of customers and lower security requirements than most financial institutions and e-commerce sites. “These attacks result in huge spikes over a couple of days with sustained transaction levels of over 200 transactions / second as they slice down the list.” Every time they get a hit with a username/password combination it goes on a list, which is then used to launch a low-and-slow attack on financial and e-commerce institutions. These attacks are difficult to detect and comprised 264 million attacks on e-commerce websites in the first quarter of 2016 alone. They noted an overall 35% growth in bot attacks from the last quarter of 2015 to the first of 2016, a number which is expected to continue to grow.

“With recent data breaches, and the tendency for users to share passwords across websites, cybercriminals find it more lucrative to use a trusted credit card from a valid customer account than it is to attempt to re-use a stolen card that has a limited shelf life. This quarter saw the highest level of attacks on e-commerce with more than 60 million rejected transactions, representing a 90% increase over the previous year.”

Using known combinations targets those who reuse passwords on low and high security websites. While users have been warned against this practice for years, some reports still show that it is common practice. A 2013 report by UK communications watchdog OfCom showed that 55% of adults reuse the same passwords across sites. A similar 2015 study by TeleSign showed 73% of web accounts were protected by duplicated passwords.

Source:  https://thestack.com/security/2016/05/24/new-botnet-targets-password-recycling/

Anonymous Launches DDoS Attacks on Banks in “Op Icarus”

Headlines have been dominated this week by the Anonymous campaign of DDoS attacks against financial institutions all over the world. Named “Op Icarus” in honor of the character from Greek mythology, the campaign seeks to punish what Anonymous views as “corrupt” banks and individuals in the financial sector.

As we all know, distributed denial of service (DDoS) attacks can strike any industry or any organization at any time and without warning. Hacktivism like that carried out by Anonymous and their base of dedicated hackers often involves the use of DDoS attacks, since they provide quick results at low cost, and with minimal risk of compromising the identities of the perpetrators. What’s more, the service downtime they bring about can cause damage to the tune of six-figure sums, so it’s an ideal part of the toolkit for the hacktivist – a fact that is bolstered by people diversifying the techniques behind DDoS attacks.

Distributed denial of service attacks have been a threat to service availability for more than a decade. However, these DDoS attacks have become increasingly sophisticated and multi-vector in nature, overcoming traditional defense mechanisms or reactive countermeasures. These pointed attack campaigns continue to reinforce a growing need for DDoS attack mitigation solutions that can properly defeat attacks at the network edge, and ensure the accessibility required for the financial institutions to maintain business operations in the face of an attack.

While the impact on the individual targets of the DDoS attack campaign, “Op Icarus” is unclear; obstructing or eliminating the availability of email servers is significant. In an online world any type of service outage is barely tolerated, especially in the banking industry where transactions and communications are often time-sensitive, and account security is of utmost importance.

Until distributed denial of service attacks are effectively mitigated as a norm, we can expect hacker communities such as Anonymous to continue gaining notoriety as they bring services down, take websites offline and cause havoc on the internet in pursuit of their goals. 2016 has been a tough year for finance in regard to their cybersecurity, with the massive cyber heist of the Bangladesh Bank as well as the Qatar National Bank data leak having taken place already. It’s safe to say that banks across the globe need maximum security not only for their safes and vaults, but also for their networks. Regardless of the motivations for these attacks, financial firms must be proactive in their defenses.

Source:  https://www.corero.com/blog/725-anonymous-declares-ddos-attacks-on-financial-sector-in-op-icarus.html

DDoS attacks Explained

DDoS is short for Distributed Denial of Service.

DDoS is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.

How DDoS Attacks Work

According to this report on eSecurityPlanet, in a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.

The Difference Between DoS and DDos Attacks

A Denial of Service (DoS) attack is different from a DDoS attack. The DoS attack typically uses one computer and one Internet connection to flood a targeted system or resource. The DDoS attack uses multiple computers and Internet connections to flood the targeted resource. DDoS attacks are often global attacks, distributed via botnets.

Types of DDoS Attacks

There are many types of DDoS attacks. Common attacks include the following:

  • Traffic attacks: Traffic flooding attacks send a huge volume of TCP, UDP and ICPM packets to the target. Legitimate requests get lost and these attacks may be accompanied by malware exploitation.
  • Bandwidth attacks: This DDos attack overloads the target with massive amounts of junk data. This results in a loss of network bandwidth and equipment resources and can lead to a complete denial of service.
  • Application attacks: Application-layer data messages can deplete resources in the application layer, leaving the target’s system services unavailable

Source:  http://trickytamilan.blogspot.ca/2016/05/ddos-explained-fully.html

Commercial Bank of Ceylon website hit by hack attack

The Sri Lanka-based Commercial Bank of Ceylon has released a statement admitting that a “hacking attack” on its website resulted in a successful intrusion – however, it maintained that no customer data has been compromised.

The bank, which released a statement in the wake of major cyberattacks targeting the Bangladesh central bank and an unnamed firm in Vietnam, claimed to have successfully defended itself and said its systems have now been fully restored.

A notice posted to the bank’s website confirmed: “There was a hacking attack on our website and the bank took immediate corrective steps. Our systems are fully secure and operational. The hacking attack was also immediately communicated to the relevant authorities.

“We confirm that no sensitive customer data or valuable passwords were lost due to this intrusion. We are taking every measure to protect the privacy of our customers and have engaged external parties to review all our systems to ensure that no vulnerabilities exist.”

The statement did not elaborate on when the so-called ‘intrusion’ took place or exactly what computer systems were targeted by hackers. The breach notification notice has been pinned to the front page of the website.IBTimes UK contacted the bank for additional comment but had received no response at the time of publication.

Indeed, a hacking group recently posted what purported to be information from a Sri Lanka-based Commercial Bank online, as reported by Bank Info Security. The leaked files allegedly included 158,276 files in 22,901 folders and featured annual reports, application forms, financial statements, PHP files, web development backups and other documents from the bank’s corporate front-end website. Based on analysis of this data dump, no customer data appeared to be present and security researchers concluded the data was old. The links to the data dump have since been removed from the web.

The news comes after similar disclosures from the Qatar National Bank (QNB). As previously reported, hackers released data that included names, addresses, credit card data and National ID numbers of QNB customers – alongside more suspicious information that was labelled as belonging to Al-Jazeera journalists, the Al-Thani Royal Family and even members of the country’s security services.

Additionally, the Celylon cyberattack has emerged as hacking collective Anonymous continue to launch cyberattacks against a slew of financial institutions as part of ‘Op Icarus’. It remains unclear if the Sri Lanka incident was the result of a distributed-denial-of-service (DDoS)-style assault, an SQL injection tool or if the attacker was using more sophisticated methods.

A global cyber-scheme

Making matters more complicated, in recent weeks a number of banks have been targeted by hackers with darker motives. The Commercial Bank statement comes after it was confirmed a bank in Vietnam successfully foiled a cyberattack that attempted to compromise sensitive data via the Swift secure messaging service – which is used by over 11,000 financial institutions to send messages and large sums of money across the globe.

The firm in question, Hanoi-based Tien Phong Bank, revealed that in the fourth quarter of last year it identified suspicious requests sent through fraudulent messages on the ‘Swift’ platform that was trying to transfer more than $1m. Tien Phong was quick to stress the attack did not cause any loss of information and that its connection to Swift was not compromised.

However, the Bangladesh central bank, which was attacked in February, was not so lucky. Aspreviously reported, hackers were able to steal roughly $81m (£56m) from its account at the Federal Reserve Bank of New York and then transfer the funds to various bank accounts located in the Philippines.

For its part, Swift recently released a statement acknowledging “a small number of recent cases of fraud.” It said: “First and foremost we would like to reassure you again that the Swift network, core messaging services and software have not been compromised.

“The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyberattacks, or a combination of both.”

Meanwhile, BAE Systems has released an in-depth report claiming the malware used in these previous attacks was similar in design to that used in the cyberattack against Sony Pictures in 2014.

 

Source:  http://www.ibtimes.co.uk/commercial-bank-ceylon-website-hit-by-hack-attack-1560271

Anonymous Threatens Bank DDoS Disruptions

After earlier this year declaring “total war” against U.S. Republican presidential candidate Donald Trump, the hacktivist group Anonymous is now threatening global banks with 30 days of distributed denial-of-service attack disruptions.

As a preview, on May 2, the group claimed to have disrupted the website of Greece’s central bank. “Olympus will fall. A few days ago we declared the revival of Operation Icarus. Today we have continuously taken down the website of the Bank of Greece,” the group said in the video posted on You Tube and delivered in the classic Anonymous style via a disembodied, computerized voice.

“This marks the start of a 30-day campaign against central bank sites across the world,” it adds. “Global banking cartel, you’ve probably expected us.”

Of course, banks have previously been targeted en masse by DDoS attackers. Beginning in 2012, for example, attacks waged by a group calling itself the “Izz ad-Din al-Qassam Cyber Fighters” continued to disrupt U.S. banks’ websites as part of what it called “Operation Ababil.” In March, the Justice Department unsealed indictments against seven Iranians – allegedly working on behalf of the Iranian government – accusing them of having waged those attacks. Regardless of who was involved, it’s unclear if Anonymous could bring similar DDoS capabilities to bear for its Operation Icarus.

A Central Bank of Greece official, who declined to be named, confirmed the May 2 DDoS disruption to Reuters, though said the effect was minimal. “The attack lasted for a few minutes and was successfully tackled by the bank’s security systems. The only thing that was affected by the denial-of-service attack was our website,” the official said. Greek banks have been previously targeted by DDoS extortionists, demanding bitcoins.

“It would have been better if no disruption occurred, but it is good that the attack – if that is what caused the disruption – was handled so quickly,” says information security expert Brian Honan, who’s a cybersecurity expert to the EU’s law enforcement intelligence agency, Europol.

A “World Banking Cartel Master Target List” published by Anonymous to text-sharing site Pastebin early this month lists the U.S. Federal Reserve, as well as Fed banks in Atlanta, Boston, Chicago, Dallas, Minneapolis, New York, Philadelphia, Richmond and St. Louis. Also on the target list are websites for the International Monetary Fund, the World Bank as well as 158 central banks’ websites. In a related video missive issued March 31, Anonymous urged its members to “take your weapons and aim them at the New York Stock Exchange and Bank of England,” promising that “this is the operation to end all others.”

The planned Anonymous operation follows elements of the collective earlier this year declaring “total war” against Trump, and on April 1 temporarily disrupting several of Trump’s websites, The Hill reports. Since then, of course, Trump has become the only Republican presidential candidate left standing after his massive win in this week’s Indiana primary.

Banks: Beware DDoS Threats

While the Anonymous bark doesn’t always equal its bite, in the wake of this alert, “banks in the United Kingdom, United States and Latin America should be very prepared” against potential attacks, says Carl Herberger, vice president of security for DDoS-mitigation and security firm Radware.

“In the same vein as someone yelling ‘bomb’ at an airport or fire at a movie theater, cyber-attack threats – whether idle or not – are not to be taken lightly,” he says, although he adds that the number of threatened DDoS attacks outweighs the quantity of actual attacks.

Herberger says in light of the new threat, all banks should review their DDoS defense plans, keeping in mind that DDoS attackers do continue to refine their tactics, as seen in the disruption of Geneva-based encrypted email service ProtonMail.

“As the attacks on ProtonMail in November 2015 have demonstrated … attackers change the profile of their attacks frequently and leverage a persistent and advanced tactic of revolving attacks geared to dumbfound detection algorithms,” he says, dubbing such tactics “advanced persistent DoS.”

Maintain a DDoS Defense Plan

Security experts have long recommended that all organizations have a DDoS defense plan in place. The U.K.’s national fraud and cybercrime reporting center, ActionFraud, for example, recently issued the following advice to all organizations:

  • Review: “Put appropriate threat reduction/mitigation measures in place,” tailored to the risk DDoS disruptions would pose to the organization.
  • Hire: If DDoS attacks are a threat, seek professional help. “If you consider that protection is necessary, speak to a DDoS prevention specialist.”
  • Prepare: All organizations should liaise with their ISP in advance of any attack. “Whether you are at risk of a DDoS attack or not, you should have the hosting facilities in place to handle large, unexpected volumes of website hits.”

DDoS Extortions Spike

The guidance from ActionFraud, released April 29, also warned that the center has recently seen a spike in DDoS extortion threats from an unnamed “online hacking group” demanding the equivalent of $2,250 to call off their planned attack.

“The group has sent emails demanding payment of 5 bitcoins to be paid by a certain time and date. The email states that this demand will increase by 5 bitcoins for each day that it goes unpaid,” ActionFraud’s alert states. “If their demand is not met, they have threatened to launch a [DDoS] attack against the businesses’ websites and networks, taking them offline until payment is made.”

ActionFraud advises targeted organizations: “Do not pay the demand.” That echoes longstanding advice from law enforcement agencies globally. ActionFraud also urges organizations to keep all copies of DDoS extortion emails – including complete email headers – as well as a complete timeline for the threats and any attacks, and to immediately report threats or attacks to authorities.

Investigators say that keeping complete records – including packet-capture logs – is essential for helping to identify perpetrators. Or as ActionFraud advises: “Keep a timeline of events and save server logs, web logs, email logs, any packet capture, network graphs, reports, etc.”

Masquerading as Armada Collective?

CloudFlare, a DDoS mitigation firm, reports that related attacks began in March and have been carried out under the banner of Armada Collective, as well as potentially Lizard Squad, although it’s not clear if those groups are actually involved.

It’s also unclear if the threatened DDoS disruptions have ever materialized. “We’ve been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack,” CloudFlare CEO Matthew Prince says in a blog post. “In fact, because the extortion emails reuse bitcoin addresses, there’s no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments.”

Source: http://www.bankinfosecurity.com/anonymous-threatens-bank-ddos-disruptions-a-9085

Source:  http://www.ddosattacks.net/anonymous-threatens-bank-ddos-disruptions/