DD4BC cyber extortion gang adds social media to arsenal

The cyber criminal gang calling itself DD4BC (DDoS for bitcoin) has added a social media component to its attacks aimed at extorting funds from businesses.

Since July 2014, the gang has been using distributed denial of service (DDoS) attacks – or at least the threat of DDoS attacks – to extort money from a range of organisations.

“This is a very low-cost, low-risk way to make money, but organisations should consider very carefully before paying what the attackers demand,” said Margee Abrams, Neustar product marketing director.

“These attacks will continue as long as they are successful, but by investing in mitigation capabilities, organisations can protect themselves as well as drive up the cost for attackers,” she told Computer Weekly.

In recent months, the gang has increased the frequency and scope of its DDoS extortion attempts, shifting from targeting Bitcoin exchanges to online casinos, betting shops, retailers and – most recently – prominent financial institutions and government organisations.

DD4BC has also adopted more aggressive measures to target brand reputation through social media, according to a report by content delivery network services firm Akamai Technologies.

“The latest attacks – focused primarily on the financial services industry – involved new strategies and tactics intended to harass, extort and ultimately embarrass the victim publicly,” said Stuart Scholly, senior vice-president and general manger of the security division at Akamai.

From June through to July 2015, the attacks increased from low-level attacks to attacks of up to 20 Gbps. The group would then demand a Bitcoin ransom to protect the company from a larger DDoS attack designed to make its website inaccessible.

Since September 2014, Akamai has observed 141 confirmed DD4BC attacks against its customers, with 114 of those taking place in the past five months. The attacks peaked at 41 in June, tapering off to 31 in July.

The average bandwidth  of the attacks has been 13.34 Gbps, with the largest DDoS attack reported at 56.2 Gbps.

However, recent attacks have included threats to expose targeted organisations through social media, adding to the damage caused by the DDoS attack itself.

Akamai believes the goal of these social media campaigns is to garner more attention for the group’s ability to create service disruptions by publicly embarrassing the target and tarnishing the company’s reputation through these wide-reaching channels.

The group’s methodology typically includes use of multi-vector DDoS attack campaigns, revisiting former targets and incorporating application layer DDoS in multi-vector attacks, specifically concentrating on the WordPress pingback vulnerability.

To help protect against extortionist group DD4BC, Akamai recommends organisations take the following defence measures:

• Deploy anomaly- and signature-based DDoS detection methods to identify attacks before a website becomes unavailable to users.
• Distribute resources to increase resiliency and avoid single points of failure due to an attack.
• Implement application layer DDoS mitigation appliances on the network in strategic locations to reduce the threat for critical application servers.

Andrew Conway, research analyst at Cloudmark, said that while extortion threats based on DDoS attacks are nothing new, the emergence of bitcoin as an anonymous medium of exchange has dramatically reduced the risks for the attackers.

“Bitcoin is not a particularly convenient payment system, compared with PayPal, credit cards or bank transfers. In fact, business for DDoS for hire services went down dramatically when PayPal started cancelling their accounts, and they were forced to switch to bitcoin,” he said.

According to Conway, the main uses of bitcoin are for activities that would not be legal with conventional payments systems, such as circumvention of exchange controls, unlicensed gambling, illegal drug purchases and – of course – extortion.

“As well as DDoS extortion, we are also seeing bitcoin blackmail demands going out to Ashley Madison customers, and it is the standard payment system for ransomware these days,” he said.

Conway said the fact most DDoS attacks rely on some form of amplification, or using resources that belong to other people to send internet traffic to a target, presents an opportunity to hamper these attacks that is often overlooked.

The most common way of creating a DDoS amplification attack is to pretend to be the target through IP spoofing, and request the traffic from the third-party server.

“It’s fairly easy to configure the routers on a network not to allow spoofed IP addresses to leave that network, which means DDoS attackers can’t operate from there. However, there are still far too many networks on the internet that do not do this. Until that particular security hole is plugged, business subject to extortion will have to rely on DDoS protection services,” said Conway.