Anonymous Cons Web Users Into Joining DDoS Attacks With Camouflaged Links

Anonymous is tricking unwitting Internet bystanders into participating in its Megaupload-inspired DDoS attacks by flooding the Web with innocuous-looking links.

Anonymous has a new tool in its arsenal that transforms casual Web surfers into unwitting participants in a distributed denial of service attack, according to security experts.
The loosely knit group of activist hackers has embedded JavaScript into specially crafted Websites to redirect site visitors to the targeted site, Graham Cluley, senior technology consultant at Sophos, wrote on the Naked Security blog Jan. 20. The page repeatedly attempts to access the target Website for the entire time the browser window is open, which only adds to the traffic bombardment.
Anonymous distributed links to these specially crafted Web pages via its Twitter feed which was re-tweeted widely, and links also popped up on Internet Relay Chat rooms, Facebook, Tumblr and other social networking sites. Some of the links led to, a site that looks a little like the popular text-sharing site Pastebin frequently used by Anonymous to issue statements. A variation of this method allowed users to type in the IP address of target Web servers before the JavaScript code began executing.
Most of the links were obscured using URL shortening services such as Several Anonymous Twitter accounts have thousands of followers, and some gained "hundreds of thousands of new fans overnight" during the course of the campaign, according to Cluley.

The new method appears to have helped knock Universal Music and other sites offline during last week's Megaupload-revenge attacks.
"If you visit the Webpage, and do not have JavaScript disabled, you will instantly, without user interaction, begin to flood a Website of Anonymous's choice with unwanted traffic, helping to perpetuate a DDoS attack," Cluley said.
Internet users who have disabled JavaScript on their browser would not have been caught in this trick. However, considering how many Websites require JavaScript to do the simplest tasks nowadays, most people have the scripting language enabled.
This is yet another reminder to be careful about clicking on links online. URL shorteners make it really hard to tell where the link originated from or its intended purpose. Even if a friend posted the link on the social network, if the original source is Anonymous, it may not be that safe.
"Don't forget, denial-of-service attacks are illegal. If you participate in such an attack you could find yourself receiving a lengthy jail sentences," Cluley warned.
Parts of the JavaScript code on the attacking Website "hints at plans" to implement a hash table at a later date, which may be used to exploit the hash table denial of service vulnerability recently disclosed in major Web application frameworks such as ASP.NET, Apache Tomcat and Oracle Glassfish.
The code snippet comes with a comment, "requests hash table, may come in handy later," according to Johannes Ullrich, of the SANS Institute's Internet Storm Center.
The image URL on the attacking Website is actually the target site's URL with some parameters added at the end, according to Ullrich. This attack format actually would make it pretty easy to filter the attacks with a Web application firewall, according to Ullrich. "Even other content-sensitive firewalls should be able to deal with this," he said.
Previously, Anonymous encouraged users to download the Low Orbit Ion Cannon to actively take part in its "operations" and participate in distributed denial of service attacks. LOIC is freely available and helps bombard the targeted site with hits until they are overwhelmed and unresponsive.
It's possible that the new method was designed to give the participants the excuse that they didn't know they were part of the attack. LOIC-based attack traffic is fairly easy for administrators to identify as malicious and it is possible to trace back to the attacking machine as the IP address is included in the data stream. Many Anonymous participants now run LOIC through secure TOR networks or proxies to mask the IP address.
Even though there is a higher risk of prosecution associated with using LOIC, people are still downloading the tool to take part in the attacks, according to Rob Rachwald, director of security strategy at Imperva. LOIC was downloaded more than 5,000 times on Jan. 19, when Operation Megaupload was launched, and peaked to 33,007 downloads on Jan. 20, according to statistics collected by Imperva. Most downloads originated in the United States, although France and Brazil were close behind.