HOT TOPICS: Customer Experience Marketing Automation Social Business SharePoint 2013 Document Management Big Data Mobile DAM

Hackers Use Viral Videos to Attack B2B E-Commerce Site


You probably never thought about kittens, zombies and porn in the same breath — and the imagery gets even weirder if you throw the words "B2B e-commerce" into the mix.

But everything is possible on the Internet: even a distributed denial-of-service (DDoS) attack that employed an apparently unprecedented technique to cause thousands of online video viewers to unwittingly bombard a target website with junk traffic.

According to researchers from Web security firm Incapsula, the attack last Wednesday resulted from a persistent cross-site scripting (XSS) vulnerability on one of the biggest and most popular video sites on the web.

Incapsula co-founder Marc Gaffan declined to identify the site, but told CMSWire it ranks among the top 50 websites in the world by traffic based on statistics from Amazon-owned firm Alexa. That seems to narrow it down to one of two sites: — the third largest — or — the 44th largest.

Someone capitalized on viral videos of something like cute cats … or maybe sex kittens … to surreptitiously turn website visitors into “DDoS Zombies” — in the hope of taking down an unidentified B2B e-commerce site.

You can't make this stuff up.

What Happened Exactly?

Crafty hackers capitalized on a popular video site that allows its users to sign in with their own profiles to launch a totally unrelated attack against the B2B site, an Incapsula client. "People typically spend 20 to 30 minutes on this site," Gaffan said.

The longer people spent on the site, the easier it became to make them unwitting participants in the DDoS.

Gaffan said the hackers embedded malicious JavaScript inside the image icons of the accounts they created. Anyone who viewed the posts they wrote — about 22,000 people, all told — unwittingly ran the attack code. As Incapsula researchers Ronen Atias and Ofer Gayer explained in the blog post:

The DDoS attack was enabled by a Persistent XSS vulnerability that allowed the offender to inject JavaScript code into the <img> tag associated with the profile image. As a result, every time the image was used on one of the the site’s pages (e.g., in the comment section), the malicious code was also embedded inside, waiting to be executed by every future visitor to that page."

The code instructed their browsers to send one web request per second to the DDoS victim, flooding the target with some 20 million GET requests, Gaffan added. One request a second is manageable for most sites. But as Atias and Gayer wrote:

When dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos."

Does that reference to cat videos narrow the comprised site to Gaffan isn’t saying. Yet.

"I can’t disclose the domain name in question at this time until the vulnerability is fixed," he said.

'Clever' Attack

The attack comes on the heels of the release of Incapsula's 2013-2014 DDoS Landscape report, which found attacks have increased 240 percent in the past year. The report notes:

2013 was a game-changing year for DDoS attacks, with higher-than-ever attack volumes and rapid evolution of new attack methods. Now, the perpetrators are looking to raise the stakes even higher by introducing new capabilities, many of which are specifically designed to abuse the weaknesses of traditional anti-DDoS solutions. As a result, in 2014, many IT organizations will need to rethink their security strategies."

To understand what happened, you have to understand a few basics.

A malicious hacker uses a DDoS attack to make a computer resource — be it a website, application, email, voicemail or network — stop responding to legitimate users. As Gaffan explained, the target becomes overwhelmed by the attacker’s requests. That can cause it to stop responding, resulting in long delays and outages.

The virus-infected computers are called zombies, because they do whatever the DDoS perpetrators command them to do. The attack, Gaffan noted, was device agnostic. Because it exploited JavaScript, it didn't matter whether someone was using the compromised site from a PC, a Mac or a mobile device.

Cross-Site Scripting (XSS) flaws are the result of improper filtering of user input and can allow attackers to inject unauthorized script code into web pages.


By all accounts, the attack was ingenious. As one hacker told me today, "By using an XSS vulnerability, there was no need for any malware to be installed on the user's computer. It's very clever and would have worked on almost anybody's computer, regardless of operating system or antivirus software. All that is needed is for someone to load the website in a browser, and the attack is on. The problem with this, is that it is very easy to fix from the website side of things."


Continue reading this article:

Useful article?
  Email It      

Tags: , , , , , , , , , , , ,



Featured Events  View All Events | Add Your Event | feed Events RSS