Who Is Hacking U.S. Banks? 8 Facts

(click image for larger view and for slideshow)

After Israel began air strikes in the Gaza strip last Wednesday, Anonymous launched of Operation Israel (OpIsrael), which involves distributed denial-of-service (DDoS) attacks against Israeli government and business websites. By Tuesday, Israeli officials said they'd seen 44 million hacking attempts launched at government websites.

Beyond the DDoS attacks, multiple hacking groups have been practicing the digital equivalent of spray painting graffiti messages on walls, by defacing numerous Israeli websites, including the Facebook page of Israeli prime minister Silvan Shalom, which they recently customized with a "free Palestine" slogan. A group called the Z Company Hacking Crew claimed credit for the Facebook defacement, as well as taking over Shalom's Twitter, YouTube, and Blogspot accounts. "This hack is a team work. There were many members involved who were simultaneously handling different social media," read a Wednesday post to the group's Twitter feed.

The Z Company Hacking Crew disputed news reports that any element of Anonymous had participated in its attacks, saying via Twitter: "Please dont (sic) associate us with any one else. We are not hamas we are not anonymous." The group Wednesday promised to publish information it had stolen from Shalom, including "his contacts, docs, and some other interesting stuff."

Meanwhile, a hacker claiming to be "Zombie_KsA," the founder of the Pakistani PAKbugs black hat community, took credit for defacing the Israeli websites of BBC, Coca-Cola and Intel, as well as several websites managed by Microsoft. A Microsoft spokesman told Softpedia that it didn't appear that any customer data had been compromised as a result of the attacks.

But after the attacks, someone claiming to be the real Zombie_KsA said he wasn't behind the defacements, which he blamed on script kiddies who used his name. To try and clear his name, Zombie_KsA published an analysis of the attacks, on the PAKbugs website, noting it took him only five minutes to retrace the vulnerabilities the attackers had used to gain access to the website of an Israeli domain name registrar, Galcomm, which Microsoft and the other companies apparently used to register their domain names.

According to Zombie_KsA, attackers most likely didn't directly deface the targeted websites, but rather used a SQL injection attack -- via Havij or another automated attack tool--against the Galcomm site, then accessed the targeted companies' Galcomm accounts, altered the domain name settings for each site, then uploaded their website defacements.

"For security reasons we are not disclosing exact injectable links, and we have informed [the] right authorities about vulnerability," said Zombie_KsA, who also criticized the state of Galcomm's website, saying it had been "poorly coded in .NET."

Despite the uptick in DDoS attacks and website attacks being launched at Israeli government websites and businesses over the past week, security experts said the damage still pales in comparison to the malware-driven online espionage campaign that's been targeting Israel for the past year. Earlier this month, researchers at security firm Norman reported that for more than a year, a group of attackers has been using the xTreme remote access Trojan (RAT) to attack first targets in Palestine, and then Israel, using phishing emails referring to current news events.

"The attacker is unknown at this point, but the purpose is assumed to be espionage/surveillance," said Snorre Fagerland, principal security researcher at Norman, in a related report. "These attacks have been ongoing for at least a year."

The related attacks and resulting malware infections recently led Israeli authorities to take Israeli police computers offline, as well as to ban the use of removable media, through which the malicious backdoor software used by the attackers was apparently able to spread.

As with most types of cyber espionage, clearly identifying who launched or sponsored the attacks remains difficult. "It is interesting that the operation apparently shifted over time from Palestinian target to Israeli target," said Fagerland in a blog post. "This can be due to changes in the political situation, or maybe the first half of the operation uncovered something that caused the target shift." While some analysts have suggested that Iran was behind the attacks, Fagerland refused to speculate.

But Aviv Raff, the chief technology officer of Seculert, said that the location of the command-and-control servers involved, as well as the content of the emails, showed that the attacks came from Palestine, reported The New York Times.

Download the new issue of Must Reads, a compendium of our best recent coverage on IT-as-a-service. It includes articles on cloud computing myths, how to build an IT service catalog, security problems, and more. (Free registration required.)