Online Financial Services under Attack

(Published in The Express Tribune, December 13, 2010)

The recent attacks on Visa and MasterCard following their refusal to accept payments for WikiLeaks donations seems like the stuff of movies – an uprising of the people against governments trying to gag information leaks.

What distinguishes the recent attacks on Visa, MasterCard and PayPalfrom other cyber attacks is that these were self-organised and involved the voluntary participation of numerous hacking groups and lay persons alike.

A group called “Anonymous” claimed responsibility for initially calling out to all hackers in what it dubbed “Operation Payback”. The idea caught a life of its own as news of the attack spread across underground circles. Mainstream media coverage added yet more fuel to the fire.

In fact, the attacks on the mentioned sites came within a day of WikiLeaks’ founder Julian Assange being imprisoned.

The group ‘Anonymous’ used mainstream services like Twitter to invite hackers across the globe to participate in the attack. One of the tweets on their AnonOperations Twitter feed read “PayPal time bomb set” – indicating that hackers had coordinated for the next synchronised attack.

These attacks are commonly known as Distributed Denial of Service (DDoS) attacks and are the simplest offensive available to hackers. The basic premise is that if a million users across the world all start loading a particular web page at a predetermined time, the server machines running that web page would become overwhelmed and crash because they are only designed to handle, say, a few thousand users simultaneously.

These hackers typically have hundreds of machines under their control which they hijack by spreading viruses or ‘Trojans’ across the internet. Some of these Trojans can be as simple as a fun game received in the email, which when double-clicked works as it should but also installs a backdoor that gives the hacker permanent control of the machine.

The victim may even send the game out to other friends because ‘it’s so much fun’. These hijacked machines are commonly referred to as ‘zombie’ machines and an amateur hacker may have a dozen or so under his control, while an ‘elite’ hacker may have an army of thousands ready for direction.

However, there is something even more interesting to this attack which is unprecedented. A software called Low Earth Ion Cannon (LOIC) is being furiously downloaded by users who wish to voluntarily participate in the attack.

The software allows the user to choose a website to overload and while single users are completely ineffective on their own, the combined effect can easily bring down the target. The software boasted almost 100,000 downloads through websites GitHub and SourceForge within two days of Assange’s arrest.

Fuelled by media coverage, the software has garnered even more attention and voluntary downloads.

These attacks are extremely difficult to curtail given the fact that there is no single source for these attacks and they are originating from thousands of users who are hard to distinguish from legitimate ones.

To make matters worse, the victims were never prepared for such an attack and the news of these attacks are drawing even more voluntary participation.

This new form of cyber warfare has invited everyone to participate and marks a shift in power towards people and away from governments in the same vein as WikiLeaks was doing. For businesses, it sets a dangerous precedent and raises concerns about the possibility of future attacks.