Earlier this week, Tripwire announced “The 12 Hacks of Christmas,” a new blog series in which we look back on some of the most damaging holiday hacks in recent years.
We now continue our exploration of Christmas-related cybercrime with Part 2 in our series.
Hack #5: Stratfor Hack (2011)
On December 6, 2011, Anonymous successfully attacked Strafor Global Intelligence Service, a firm that analyzes geopolitical risk and submits its findings to a number of government agencies including the Department of Homeland Security and the Department of Defense.
Jeremy Hammond, using the alias “sup_g,” coordinated the hack against Strafor’s servers, stealing in all about 200 GB of data, which included at least 10,000 credit cards, 50,000 unique email addresses, 25,000 phone numbers, and 50,000 encrypted passwords.
All of the credit cards, which Stratfor’s members use for billing purposes, were stored in plaintext. Using these stolen credentials, the hackers made a series of donations to the American Red Cross, AIDS Research, Tor Project, and Wikileaks.
At one point, Jeremy Hammond contacted Xavier Monsegur, a former blackhat hacker who had agreed to work as an informant for the FBI. With Mr. Monsegur’s help, the FBI succeeded in convincing Hammond to exfiltrate some of Stratfor’s stolen data to one of its server. This allowed the FBI to salvage some of the compromised information.
Nevertheless, both Anonymous and WikiLeaks published much of the firm’s stolen data online.
Hack #6: Christmas Eve Bank Hack (2012)
A regional California financial institution was the victim of a Christmas cyberheist in which attackers stole $900,000.
On Christmas Eve in 2012, hackers began moving money out of the corporate accounts of Ascent Builders, a construction firm based in Sacramento, CA. To distract attention away from the withdrawals, the attackers launched a DDoS campaign against the Bank of the West, the firm’s financial institution.
At least 62 individuals acted as money “mules” in the attack. In return for a small payment, these individuals unknowingly accepted substantial deposits from the thieves and eventually transferred them to overseas accounts.
The comptroller for Ascent Builders was unable to access the financial institution’s website during the course of the attack. This is because the attackers were remote controlling her computer and blocking her from visiting the bank’s site.
Brian Krebs, one of the first journalists to report on the incident, is of the opinion that the attack occurred as a result of a keylogger that went undetected by anti-virus software.
Hack #7: NTP-Reflection Attacks (2013)
Last December, Symantec reported a spike in the number of NTP amplification attacks.
NTP stands for Network Time Protocol. It was originally developed by a professor at the University of Delaware as a means syncing the clocks of multiple computers.
According to Symantec’s blog post on the topic, NTP attacks are similar to DNS amplification attacks in that they use a small packet to request the delivery of a large amount of data to a specific IP address.
In this case, the attackers used the monlist command, a query found in older versions of NTP that sends requesters a list of the last 600 hosts who connected to the server, as part of a series of DDoS attacks against certain targets, including a number of gaming sites in late December and Brian Krebs’ blog approximately two months later.
The evolution of NTP amplification attacks in part reflects the Internet’s development thus far. Tyler Reguly, Manager of Security Research and Development of Tripwire, explains: “Over time, the Internet became less of a web built on trust used by professionals. When this happened, troublemakers created the denial of service (DoS) attack, giving them the ability to render a service unavailable. As Internet connections grew faster and these troublemakers grew more mischievous, denial of service grew to become distributed denial of service (DDoS).”
Reguly notes that NTP amplification attacks increased in December 2013 to such an extent that US-CERT released an Alert (TA14-013A) on the subject.
Tripwire to the Rescue
NTP amplification attacks are especially dangerous in that they sow mistrust among companies. Reguly demonstrates this with a hypothetical situation: “Imagine that ‘Company Z’ is knocked offline by an NTP attack attack and that the mischievous little troll responsible used the NTP servers offered by ‘Company A,’ ‘Company B,’ and ‘Company C.’ If you were involved with IT Security at ‘Company A,’ how would you feel knowing that your services had been used to render another company helpless? How would you feel if you were the target and ‘Company Z’ had run the NTP Server that was used?”
Clearly, no one wins in an NTP amplification attack that involves multiple companies.
Knowing this, Reguly recommends users take advantage of some of the products Tripwire has to offer: “Tripwire IP360 and PureCloud not only detects servers that run NTP, but they also identify servers that still have the ‘monlist’ command, which has been phased out in newer NTP versions. A simple scan of your external hosts could prevent you from helping these Internet trolls from rendering other services unusable.”
Hack #8: Dogecoin Hack (2013)
A few days before New Years’ Eve, users of Dogecoin, a cryptocurrency alternative to Bitcoin, noticed that their wallets were being emptied and sent to a single Dogewallet without their authorization.
As it turned out, the attacker had not hacked individual Dogewallets but the official Dogewallet page, where they changed the intended recipient field to a static address.
Overall, 21 million Dogecoins were stolen in the attack. However, with each Dogecoin valued at US $0.00057 at the time, users suffered an aggregate loss of only $12,000.
The founders of the cryptocurrency suspect that the attack may have occurred as a result of Dogecoin’s growing popularity, especially among online gamers who were beginning to use the cryptocurrency to pay for in-game purchases.
Following the hack, Dogewallet temporarily took down its site and began announcing on Reddit that it would compensate all users’ losses. Even so, the fact that it also deactivated its Facebook page had some users wondering whether the attack was just a scam.
“Ho Ho Hackers!”
Four hacks remain. They are the “naughtiest” of them all, with the information security community still operating in the shadow of these incidents. Stay tuned for the third and final part of our “12 Hacks of Christmas” series!