Distributed denial of service attacks are an IT team’s worst nightmare. The sudden floods of Internet traffic to public facing web- or application servers can bring your company’s online edifice tumbling down. If yours is an online business, DDoS attacks can translate into millions of dollars in lost revenue for every hour of downtime.
As bad as they are, however, DDoS attacks may be the least of your problems. As the hack last week of the UK-based Carphone Warehouse indicates, DDoS attacks these days are often just a distraction from the real thrust of a cyber operation: data theft.
As reported here, hackers used a denial of service attack against Carphone Warehouse websites like OneStopPhoneShop.com, e2save.com and Mobiles.co.uk to distract its IT team from a coordinated hack of their customer database, which resulted in the theft of information on 2.4 million customers. In the end, around 90,000 of those customers had credit card information stolen – though the data was encrypted.
This isn’t a new technique. Back in 2013, Brian Krebs noted the use of DDoS attacks as a technique used by cyber criminals to cover up illegal wire transfers from compromised accounts. In 2014, the FFIEC went so far as to warn banks about the use of DDoS as a diversionary tactic by cyber criminals.
But banks aren’t the only targets of this technique. As this article from eWeek notes, the hackers who stole account information from millions of Sony’s customers likewise used massive denial of service attacks to distract Sony’s IT team while the data exfiltration was taking place.
In fact, the security firm Neustar observed that the duration of DDoS attacks has declined precipitously in recent years. In their 2014 security report, the firm said that the percentage of their customers who reported DDoS attacks that lasted less than a day jumped more than 10 percent between 2012 and 2013, to 77 percent. At the same time, the percentage reporting DDoS attacks lasting over a week declined from 13 percent to under 2 percent.
The reason, Neustar theorized, was the increasing use of DDoS as a “smokescreen” to cover for data theft and other malicious activity. In other words: attacks that have been historically been used to inflict pain on their victims are now mostly a distraction: the online equivalent of a fire in the trashcan.
What should security conscious firms do? Neustar and others advise companies to be on guard for DDoS attacks that may be diversionary. These tend to be shorter and more intense in nature, and they are often not followed by extortionate demands from those behind the DDoS (after all: they already have what they want).
Companies should drill their IT and security teams on DDoS scenarios and part of that should be identifying resources and tools that can keep a wary eye for suspicious activity after a DDoS has started. Monitoring tools that can alert IT staff to data exfiltration or other suspicious transactions are a must.
Finally, investing in dedicated DDoS protection and mitigation tools can help deflect attacks and make it easier for IT staff to keep their wits about them during an incident.
