Hacktivist collective Anonymous has announced a new campaign for the holiday season: to steal from the rich.
Dubbed "DestructiveSec," the collective said it will steal virtual credit cards from banks and give "back to the people who had everything taken," according to a statement posted on text-sharing site Pastebin on Dec. 12. The statement did not name any targets or provide any details.
Another statement on the collective's discussion site Project Anon News claimed Lulzxmas-the other name for the DestructiveSec campaign-was a "new Anonymous action" that was dedicated to "granting wishes to people who are less fortunate than most."
"This Christmas we are stealing from the banks who stole from you and giving you back what was rightfully yours in the first place," the statement for DestructiveSec said, adding, "We're giving Santa Claus a break this year."
The hackers originally began giving away access to virtual private servers and domains, and then decided to give "whatever people wanted but couldn't afford," according to the Anon News post. Lulzxmas received hundreds of request in its first 36 hours of operation. Despite claiming to accept requests until Dec. 23, a post on Twitter under the account DestructiveSec claimed the "giveaway" had ended, but they were still shipping out "bits and pieces" to various individuals.
Apple products, including iPods, iPads and iPhones, were among the most requested products, but there were also requests for pizza, masks and donations to various charities and Occupy movements in New York, Oakland and a few others. The group has supposedly spent more than $76,000 of the "banks' lovely money" and was "aiming for a million" by Christmas, according to an "interview" posted on Anon News Dec. 16.
The campaign also compromised a Website of a "top" clothing retailer in the United Kingdom with a SQL injection attack and defaced part of the site before blackmailing the owner into shipping clothes such as designer hoodies to people, according to the interview.
The two Anonymous members running this campaign are targeting "massive hosts" to get access to the virtual private server and domains and also hitting banks' accounts terminals to stockpile virtual credit cards, according to the interview. They estimated to have $1.25 million in virtual credit cards so far. They've also been able to transfer funds around.
"Who pays for stolen credit cards? You might think banks and retailers, but ultimately the cost is passed onto consumers and credit card company customers," said Rob Rachwald, director of security strategy at Imperva.
Even though fraudulent transactions are not charged back to the consumer, there are actual costs incurred for the consumers, Rachwald said.
In the interview, the perpetrators claimed that banks have to reimburse the money stolen. While technically true, this "misleads" people into thinking that consumers are spared while retailers and bankers shoulder the cost of these kinds of fraud, Rachwald said. In actuality, retailers wind up raising prices and credit card companies increase fees and interest rates, which means fraud costs are "distributed back" to the general pool of consumers, he said.
Anyone with a credit card is indirectly paying for Lulzxmas, he said.