DDoS As a Cover for Data Theft

Distributed denial of service attacks are IT teams' worst nightmare - but they may be the least of your problems, experts say.

Distributed denial of service attacks are an IT team’s worst nightmare. The sudden floods of Internet traffic to public facing web- or application servers can bring your company’s online edifice tumbling down. If yours is an online business, DDoS attacks can translate into millions of dollars in lost revenue for every hour of downtime.

As bad as they are, however, DDoS attacks may be the least of your problems. As the hack last week of the UK-based Carphone Warehouse indicates, DDoS attacks these days are often just a distraction from the real thrust of a cyber operation: data theft.

As reported here, hackers used a denial of service attack against Carphone Warehouse websites like OneStopPhoneShop.com, e2save.com and Mobiles.co.uk to distract its IT team from a coordinated hack of their customer database, which resulted in the theft of information on 2.4 million customers. In the end, around 90,000 of those customers had credit card information stolen – though the data was encrypted.

This isn’t a new technique. Back in 2013, Brian Krebs noted the use of DDoS attacks as a technique used by cyber criminals to cover up illegal wire transfers from compromised accounts. In 2014, the FFIEC went so far as to warn banks about the use of DDoS as a diversionary tactic by cyber criminals.

But banks aren’t the only targets of this technique. As this article from eWeek notes, the hackers who stole account information from millions of Sony’s customers likewise used massive denial of service attacks to distract Sony’s IT team while the data exfiltration was taking place.

In fact, the security firm Neustar observed that the duration of DDoS attacks has declined precipitously in recent years. In their 2014 security report, the firm said that the percentage of their customers who reported DDoS attacks that lasted less than a day jumped more than 10 percent between 2012 and 2013, to 77 percent. At the same time, the percentage reporting DDoS attacks lasting over a week declined from 13 percent to under 2 percent.

The reason, Neustar theorized, was the increasing use of DDoS as a “smokescreen” to cover for data theft and other malicious activity. In other words: attacks that have been historically been used to inflict pain on their victims are now mostly a distraction: the online equivalent of a fire in the trashcan.

What should security conscious firms do? Neustar and others advise companies to be on guard for DDoS attacks that may be diversionary. These tend to be shorter and more intense in nature, and they are often not followed by extortionate demands from those behind the DDoS (after all: they already have what they want).

Companies should drill their IT and security teams on DDoS scenarios and part of that should be identifying resources and tools that can keep a wary eye for suspicious activity after a DDoS has started. Monitoring tools that can alert IT staff to data exfiltration or other suspicious transactions are a must.

Finally, investing in dedicated DDoS protection and mitigation tools can help deflect attacks and make it easier for IT staff to keep their wits about them during an incident.

Paul Roberts

Please post your comments here

Digital Guardian Data Loss Prevention

Read how Digital Guardian for DLP gives you everything you need to stop sensitive data from getting out of your organization. 

Read now

Related Articles
Communicating the Data Security Risks of File Sharing & Cloud Storage

We asked 34 data security experts how companies can best communicate the security risks associated with file sharing and cloud storage to employees - see what the experts had to say.

The End of the Line for Internet Explorer V8, 9, 10: What to Do

Today marks the end of support for Microsoft Internet Explorer versions 8, 9, and 10. What does this mean for browser security?

Drug Development and Intellectual Property Theft

Competitive forces in the pharmaceutical industry have led to increased intellectual property theft. As this trend continues, pharmaceutical companies and manufacturers of all industries must focus on protecting the sensitive data that their competitive advantage is built on.