PayPal, PostFinance Hit by DoS Attacks, Counter-Attack in Progress

As WikiLeaks supporters and hackers hit PayPal and PostFinance with denial-of-service attacks for anti-WikiLeaks behavior, the group is also targeted in a DoS counter-attack.

The anonymous group of hackers that launch denial-of-service attacks against the entertainment industry refocused their campaign to target companies perceived to be anti-WikiLeaks. In response, the same group is also currently under a DoS attack for supporting the whistle-blowing site.

"We fight for the same reasons," such as more transparency and stopping censorship, and will "attack those against" WikiLeaks, the group said in a statement on its Website on Dec. 5. The group plans to do several things, including organizing distributed DoS attacks on "various targets related to censorship," according to the statement.

Dubbed Anonymous, the group has an ongoing "Operation Payback" campaign against "anti-piracy groups," and have targeted Motion Picture Association of America and the Recording Industry Association of America in the past.

The group's first victim was PayPal, knocking the payment service's blog offline by early morning on Dec. 4, according to the cyber-security researchers at Panda Labs. PayPal had posted a statement on the blog that it had restricted the whistle-blowing site's account for violating the Acceptable Use Policy with "activities that encourage, promote, facilitate or instruct others to engage in illegal activity." Supporters had been using the PayPal account to make donations to keep the site going.

After the blog went down, there was an announcement on Twitter: "TANGO of Paypal, company that has restricted Wikileaks' access to funding."

PayPal got the blog back online after 8 hours and 15 minutes of total downtime and 75 service interruptions, according to the Panda Labs researchers. It wasn't over, as the second attack hit the main PayPal site on Dec. 6. Shortly after, Anonymous' Website became unavailable, "presumably under counter DDoS attack," said Panda Labs. The site currently has a note up confirming that it was under "heavy" DoS attack, more than 6 hours after it began.

Despite being hit, Anonymous targeted PostFinance, the Swiss bank that froze $41,000 in an account set up as a legal defense fund for WikiLeaks founder Julian Assange, on Monday afternoon. PostFinance's Website went offline around 12 p.m. EST, according to Panda Labs. It is still inaccessible, more than 10 hours later.

DoS attacks are becoming the tool of choice for making a statement to protest "hacker injustice," according to Noa Bar Yossef, a senior security strategist at Imperva. In a classic example, hackers are trying to make money, but Operation Payback's supporters are using the attacks to "cripple a service, disrupt services, protest their cause and cause humiliation," said Yossef.

In the classical scenario, the DoS attacks are carried out by botnets comprising zombies, computers belonging to innocent individuals who'd been tricked into downloading bot malware, she said. In Operation Payback, however, participants are "knowingly" downloading the "DDoSing malware itself," and there is "no victimized machine" in this "act of defiance," she said.

WikiLeaks was hit by a DoS attack hours before the whistle-blowing site was set to post more than 250,000 diplomatic documents. The attack was to punish WikiLeaks for "attempting to endanger the lives of our troops, 'other assets' & foreign relations," according to "th3ef35t3r," who claimed responsibility on Twitter. The Website was down for "1 day 3 hours and 50 minutes," according to Panda Labs. After a second DoS attack by an unknown attacker, Amazon terminated its hosting services. On Dec. 3, the site's DNS provider stopped service after yet another DoS attack hit everyDNS.

The first attack was a "simple DoS," as he doesn't use "intermediaries or botnets," according to th3ef35t3r's Twitter account. The attack was carried out by the XerXeS tool, which can produce an automated DoS attack from a single low-spec computer, according to Anthony M. Freed, of security site Infosec Island.

An Anonymous member posted on Twitter, "I'm not anti-government, anti-establishment, or anything of that sort. I'm just anti-...anti-WikiLeaks."

Anonymous is also circulating a statement titled "Operation Avenge Assange," asking for supporters to join in the DoS attacks and mirror WikiLeaks, among other actions. According to the WikiLeaks site, there are already more than 350 mirror sites helping to keep the site's content online.

Anonymous has not said who the next targets will be or whether the list will include Amazon and everyDNS. There is some speculation that the group will somehow target the French government for pressuring OVH to stop hosting the site.

"Whoever tries to silence or discourage WikiLeaks favors world domination rather than freedom and democracy," the group said.