2014-08-April-Peanut-and-Linus-by-Asa-Aarons.jpg

You probably never thought about kittens, zombies and porn in the same breath — and the imagery gets even weirder if you throw the words "B2B e-commerce" into the mix.

But everything is possible on the Internet: even a distributed denial-of-service (DDoS) attack that employed an apparently unprecedented technique to cause thousands of online video viewers to unwittingly bombard a target website with junk traffic.

According to researchers from Web security firm Incapsula, the attack last Wednesday resulted from a persistent cross-site scripting (XSS) vulnerability on one of the biggest and most popular video sites on the web.

Incapsula co-founder Marc Gaffan declined to identify the site, but told CMSWire it ranks among the top 50 websites in the world by traffic based on statistics from Amazon-owned firm Alexa. That seems to narrow it down to one of two sites: Youtube.com — the third largest — or Xvideos.com — the 44th largest.

Someone capitalized on viral videos of something like cute cats … or maybe sex kittens … to surreptitiously turn website visitors into “DDoS Zombies” — in the hope of taking down an unidentified B2B e-commerce site.

You can't make this stuff up.

What Happened Exactly?

Crafty hackers capitalized on a popular video site that allows its users to sign in with their own profiles to launch a totally unrelated attack against the B2B site, an Incapsula client. "People typically spend 20 to 30 minutes on this site," Gaffan said.

The longer people spent on the site, the easier it became to make them unwitting participants in the DDoS.

Gaffan said the hackers embedded malicious JavaScript inside the image icons of the accounts they created. Anyone who viewed the posts they wrote — about 22,000 people, all told — unwittingly ran the attack code. As Incapsula researchers Ronen Atias and Ofer Gayer explained in the blog post:

The DDoS attack was enabled by a Persistent XSS vulnerability that allowed the offender to inject JavaScript code into the <img> tag associated with the profile image. As a result, every time the image was used on one of the the site’s pages (e.g., in the comment section), the malicious code was also embedded inside, waiting to be executed by every future visitor to that page."

The code instructed their browsers to send one web request per second to the DDoS victim, flooding the target with some 20 million GET requests, Gaffan added. One request a second is manageable for most sites. But as Atias and Gayer wrote:

When dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos."

Does that reference to cat videos narrow the comprised site to YouTube.com? Gaffan isn’t saying. Yet.