Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/9/2015
04:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cybercriminal Gang Extorts Businesses Via DDoS Attacks

Since April, the so-called DD4BC group has been responsible for at least 114 DDoS attacks on Akamai customers, vendor says.

A group of threat actors calling themselves DD4BC has been attempting to extort money from financial companies and other business by threatening to hit them with massive distributed denial of service attacks (DDoS), content delivery vendor Akamai said in a report published today.

The group has been active since at least September 2014, but appears to be ratcheting up its operations and going after a broader cross section of targets. Since April 2015, the group has hit at least 114 Akamai customers with DDoS attacks, with an average peak bandwidth of around 13.34 Gbps.

The largest of the attacks that Akamai observed generated over 56.2 Gbps of traffic. At the height of the group’s activity in June, Akamai mitigated at least 8 DDoS attacks that had peak bandwidths of more than 23 Gbps.

In DDoS attacks, threat actors use botnets to direct large volumes of useless traffic to a target network with the intention of overwhelming it. Generally, the higher the sustained peak bandwidth of a DDoS attack, the more potential it has to knock a website offline or make it completely inaccessible from the outside.

With DD4BC, the attacks were preceded by emails from members of the group that have attempted to extort money from the targets, Akamai found. Victims were first informed that a low-level DDoS attack would be launched against their site if they did not pay a specific ransom amount in Bitcoins within a particular time period. The emails included details on how and where the victims would pay, and included a promise not to target them again if they complied.

Messages that were ignored were quickly followed with more ominous threats about bigger DDoS attacks and higher ransom amounts.

Samples of the threatening emails posted by Akamai show that the ransom amounts demanded by the group were relatively modest, ranging from 25 Bitcoins to 50 Bitcoins, or between $6,000 and $12,000 at current currency exchange rates.

"Your site is going under attack unless you pay 25 Bitcoin," one email stated. "Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps, so don’t even bother."

The email goes on to inform the target that a low-level DDoS attack was being launched against it to demonstrate the seriousness of the threat. The attackers promise never to threaten the victim again if the ransom is paid up: "We do bad things, but we keep our word."

Subsequent emails warn the victim against ignoring the ransom demand. "And you are ignoring us. Probably because you don’t want to pay extortionists. And you believe that after sometime we will give up. But we never give up," the follow-up messages read.

Lisa Beegle, manager at Akamai’s Prolexic Security Engineering & Research Team (PLXsert) describes DD4BC as a dangerous group. "This group has definitely followed through" with its threats, Beegle says. "If an organization gets a note [from DD4BC], they should take it seriously," she says.

Beegle says it’s difficult to know for sure how many organizations have paid the ransom demanded by DD4BC. But it is likely that at least a few of them have complied with the demands, she says.

From the size of the attacks that Akamai has observed, it’s highly unlikely that DD4BC has the ability to launch the 400 to 500 Gbps attacks that the group mentions in its extortion emails, Beegle notes.

At the same time, the average peak attack bandwidths achieved by the group are enough to overwhelm many websites, she says. "The average organization has a 10 Gbps pipeline," Beegle says. "So a 13 GBPs attack would exceed their bandwidth capacity."

Financial services firms were targeted in 58 percent of these attacks. Of that number, banks and credit unions accounted for 35 percent of the attacks, 13 percent involved currency exchanges while the rest were payment processing firms, according to Akamai.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...