DDoS attacks are employed as a smokescreen for other more malicious cyberattacks more often than you might think. The swarming nature of DDoS can be an effective distraction technique; as cybersecurity teams focus on mitigating the attack and getting services back online, the cybercriminal can work under the radar to more deeply invade your systems.
Back in 2014, the Federal Financial Institutions Examination Council (FFIEC) warned banks about DDoS being deployed as a diversionary tactic “by criminals attempting to commit fraud using stolen customer or bank employee credentials to initiate fraudulent wire or automated clearinghouse transfers.” It encouraged financial institutions to better address DDoS readiness as a key part of their ongoing security plans; and “ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate”.
The warning is as important then as now, if not more so, as these kinds of smokescreen attacks are becoming increasingly prevalent. This is likely in part because the software to launch DDoS attacks is becoming easier to access and cheaper to pay for.
In a Dark Reading article last year, tech reporter Jai Vijayan cited a Neustar survey of 1,010 corporate executives on the frequency and impact of DDoS on their organizations. Vijayan said, “Nearly half of the impacted organizations say their DDoS attacks coincided with some form of breach or malicious activity on their networks, including data theft and ransomware.” He added, “For instance, 47% report discovering virus activity on their network after a DDoS attack, 43% cite malware as being activated, and 32% report customer data theft.”
40% of those surveyed were not aware of DDoS attacks occurring to them until a third-party or a customer alerted them.
A notable example is the 2015 DDoS attack against British mobile phone retailer, Carphone Warehouse, which coincided with the theft of the personal and banking information of 2.4 million customers. Many attacks of this nature are not reported on, but in this instance, the retailer publicly revealed the security breach. DDoS was used as a cover to help hackers break into the Carphone Warehouse systems and carry out one of the UK’s biggest ever digital thefts.
The most famous instance is in 2011 on Sony’s PlayStation Network, an online gaming service, which saw a massive bombardment of traffic at the same time as the personal and financial details of 77 million customers were stolen. The Playstation division chief had to report to US Congress, and told them the smokescreen DDoS attack may have made it more difficult to detect this intrusion quickly”.
Other more complex attacks that can happen on the back of a DDoS attack include reconnaissance (for the hackers to work out if your security is weak and can be breached), malware delivery/exploitation (using a simultaneous DDoS attack to hide the dropping of malware onto a network’s machines), and the extraction of data (as in the Carphone Warehouse and Sony PlayStation examples).