Anonymous Cons Web Users Into Joining DDoS Attacks With Camouflaged Links
Anonymous is tricking unwitting Internet bystanders into participating in its Megaupload-inspired DDoS attacks by flooding the Web with innocuous-looking links.Anonymous has a new tool in its arsenal that transforms casual Web surfers into unwitting participants in a distributed denial of service attack, according to security experts.
Most of the links were obscured using URL shortening services such as bit.ly. Several Anonymous Twitter accounts have thousands of followers, and some gained "hundreds of thousands of new fans overnight" during the course of the campaign, according to Cluley. The new method appears to have helped knock Universal Music and other sites offline during last week's Megaupload-revenge attacks.
This is yet another reminder to be careful about clicking on links online. URL shorteners make it really hard to tell where the link originated from or its intended purpose. Even if a friend posted the link on the social network, if the original source is Anonymous, it may not be that safe.
"Don't forget, denial-of-service attacks are illegal. If you participate in such an attack you could find yourself receiving a lengthy jail sentences," Cluley warned.
The code snippet comes with a comment, "requests hash table, may come in handy later," according to Johannes Ullrich, of the SANS Institute's Internet Storm Center.
The image URL on the attacking Website is actually the target site's URL with some parameters added at the end, according to Ullrich. This attack format actually would make it pretty easy to filter the attacks with a Web application firewall, according to Ullrich. "Even other content-sensitive firewalls should be able to deal with this," he said.
Previously, Anonymous encouraged users to download the Low Orbit Ion Cannon to actively take part in its "operations" and participate in distributed denial of service attacks. LOIC is freely available and helps bombard the targeted site with hits until they are overwhelmed and unresponsive.
It's possible that the new method was designed to give the participants the excuse that they didn't know they were part of the attack. LOIC-based attack traffic is fairly easy for administrators to identify as malicious and it is possible to trace back to the attacking machine as the IP address is included in the data stream. Many Anonymous participants now run LOIC through secure TOR networks or proxies to mask the IP address.
Even though there is a higher risk of prosecution associated with using LOIC, people are still downloading the tool to take part in the attacks, according to Rob Rachwald, director of security strategy at Imperva. LOIC was downloaded more than 5,000 times on Jan. 19, when Operation Megaupload was launched, and peaked to 33,007 downloads on Jan. 20, according to statistics collected by Imperva. Most downloads originated in the United States, although France and Brazil were close behind.