Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/13/2016
08:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Valentine's Day Inspires DDoS Attacks Against Online Florists

Security vendor Imperva says it has observed a sharp increase in automated bot traffic directed at florist sites.

Cyber criminals have shown a consistent tendency to exploit major news and seasonal events to slip phishing and other malicious attacks past unwary victims. And so it is with this Valentine’s Day as well.

Florists apparently have been receiving a lot of attention, of the unwanted variety, from online criminals, security vendor Imperva reported this week. All 34 of the company’s florist customers have experienced a sharp spike in traffic to their sites over the last few days. While some of the traffic is to be expected, considering the rush to order flowers for Valentine’s Day -- a lot of it is not.

According to Imperva, more than nine in 10 of the florist sites witnessed a sudden surge in bot traffic between February 5 and February 11. In about 23% of the cases, the spike in bot traffic was dramatic enough to cause problems. Contrary to what some might expect, the attack traffic did not appear to be opportunistic in nature. Rather, it looked as if the florists were being individually targeted in denial-of-service campaigns apparently designed to extort money from them.

One of Imperva’s florist customers reported receiving a ransom note, while another experienced an application-layer denial of service attack, Imperva said. In the case of the latter victim, the company’s Content Distribution Network (CDN) provider interpreted the botnet traffic as regular user sessions, resulting in the site exceeding its contracted cache capacity. This in turn caused the CDN to route the attack traffic through its own origin servers, resulting in their site going down under DDoS traffic.

A screenshot published on Imperva’s blog shows that some of the Web application attacks had originated in the United Kingdom, though one appeared to be from Latvia. Somewhat surprisingly, attackers were still going after old vulnerabilities such as Shellshock in an attempt to breach systems belonging to their targets, according to Imperva.

Florists can mitigate the threat by monitoring their traffic for unexpected behavior, like heavier than normal traffic spikes, or visits from unfamiliar IP addresses. “Any unusual activity could be 'dry runs' by attackers foreshadowing an imminent full-blown attack,” Imperva said.

The company also urged florists to monitor Twitter and sites such as Pastebin.com for chatter hinting at a potential attack on their sites.

The sudden spike in malicious traffic directed at online florists reflects a common tendency among cyber crooks to escalate malware campaigns and attacks around seasonal events and major news happenings.

Earlier this year, mobile network protection vendor Adaptive Mobile reported on a series of picture message spam campaigns on the Kik messenger service that were timed to coincide with seasonal events.

The spam messages involved the use of images belonging to well-known brands to try and get recipients to follow links to malicious websites. What was noteworthy was the fact that each campaign was tied to a specific event. For instance, one of the Kik spam campaigns was launched around Halloween, and featured an image message purportedly from Amazon. Another campaign around Thanksgiving involved spam featuring spoofed McDonalds images, while one in the days preceding Cyber Monday featured BestBuy-related spam.

While the campaign was not technically very sophisticated, the effort put into creating individual picture messages purporting to be from major brands, suggested a specialist campaign, Adaptive Mobile had noted.

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.