Smokescreening Is The Latest Danger In DDoS Attacks

New study warns of rising smokescreening practice in cyberattacks

The top takeaway of a new study suggests that more and more frequently, distributed denial of service (DDoS) attacks are being used as a smokescreen, distracting organizations while malware or viruses are injected to steal money, data, or intellectual property.

The white paper, the 2014 Neustar Annual DDoS Attacks and Impact Report: A Neustar High-Tech Brief, reveals insights into this trend based on a survey of 440 North American companies, comparing DDoS findings from 2013 to 2012.

Over the last year, the study found, DDoS attacks evolved in strategy and tactics. More than half of attacked companies also reported theft of funds, data, or intellectual property. These cyber-attacks are intense but quick, more surgical in nature than sustained strikes whose goal is to extend downtime.

This year’s survey also demonstrated that the landscape of DDoS attacks is changing. The number of attacks is up, but attack duration is down, meaning that attacks are becoming more intense and harder to catch. Larger attacks are more common, but most attacks still are less than 1 Gbps. Although companies report a greater financial risk during a DDoS outage, most still rely on traditional defenses like firewall, rather than purpose-built solutions like DDoS mitigation hardware or cloud services.

Among the study’s other findings:

  • Virus and malware insertion during DDoS attacks was common, with 47 percent of companies who experienced a DDoS attack and data breach simultaneously reported the installation of a virus or malware.
  • The industry sees DDoS as a growing threat, with 91 percent of high-tech respondents viewing DDoS as a similar or larger threat than just a year ago.
  • 87 percent of companies attacked were hit multiple times.
  • Nearly twice as many businesses were hit: in 2013, 60 percent of companies were DDoS-attacked, up from 35 percent in 2012.  And these attacks were of shorter duration in 2013.
  • Attacks between 1 and 5 Gbps almost tripled.
  • Customer support is the leading area of impact. For 53 percent of tech companies that suffered an outage, customer service was cited as the area most affected, while 47 percent named brand/customer confidence as the most affected.
  • Collectively, non-IT/security groups see the greatest cost increases in the event of a DDoS attack.
  • High-tech revenue losses are in line with those of other sectors. In 2013, DDoS was just as risky for high-tech as for other verticals, with 47 percent reporting revenue risks of more than $50 K per hour and 31 percent hourly risks of more than $100 K. That means that daily revenue risks are often measured in seven figures.

The conclusion of the report is that there is a trend towards shorter DDoS attacks, but also more attacks from 1 to 5 Gbps — quicker, more concentrated strikes, that suggest a growing presence of a highly damaging tactic called DDoS smokescreening.

Smokescreening distracts IT and security teams with a DDoS attack, allowing criminals to grab and clone private data to siphon off funds, intellectual property, and other information.  In one case, thieves used DDoS to steal bank customers’ credentials and drain $9 million from ATMs in just 48 hours. Such crimes have caused the FDIC to warn about DDoS as a diversionary tactic.

The study urges businesses to watch for the warning signs, including shorter, more intense attacks with no extortion or policy demands.  It also counsels them to follow best practices such as not assigning all resources to DDoS mitigation, but dedicating some staff to monitoring entry systems during attacks, making sure everything is patched with up-to-date security and to establish dedicated DDoS protection.

Rodney Joffe, Neustar senior VP and senior technologist notes, “The stakes are much higher. If you’re a criminal, why mess around with extortion when you can just go ahead and steal — and on a much greater scale?”