2014-08-April-Peanut-and-Linus-by-Asa-Aarons.jpg

You probably never thought about kittens, zombies and porn in the same breath — and the imagery gets even weirder if you throw the words "B2B e-commerce" into the mix.

But everything is possible on the Internet: even a distributed denial-of-service (DDoS) attack that employed an apparently unprecedented technique to cause thousands of online video viewers to unwittingly bombard a target website with junk traffic.

According to researchers from Web security firm Incapsula, the attack last Wednesday resulted from a persistent cross-site scripting (XSS) vulnerability on one of the biggest and most popular video sites on the web.

Incapsula co-founder Marc Gaffan declined to identify the site, but told CMSWire it ranks among the top 50 websites in the world by traffic based on statistics from Amazon-owned firm Alexa. That seems to narrow it down to one of two sites: Youtube.com — the third largest — or Xvideos.com — the 44th largest.

Someone capitalized on viral videos of something like cute cats … or maybe sex kittens … to surreptitiously turn website visitors into “DDoS Zombies” — in the hope of taking down an unidentified B2B e-commerce site.

You can't make this stuff up.

What Happened Exactly?

Crafty hackers capitalized on a popular video site that allows its users to sign in with their own profiles to launch a totally unrelated attack against the B2B site, an Incapsula client. "People typically spend 20 to 30 minutes on this site," Gaffan said.

The longer people spent on the site, the easier it became to make them unwitting participants in the DDoS.

Gaffan said the hackers embedded malicious JavaScript inside the image icons of the accounts they created. Anyone who viewed the posts they wrote — about 22,000 people, all told — unwittingly ran the attack code. As Incapsula researchers Ronen Atias and Ofer Gayer explained in the blog post:

The DDoS attack was enabled by a Persistent XSS vulnerability that allowed the offender to inject JavaScript code into the <img> tag associated with the profile image. As a result, every time the image was used on one of the the site’s pages (e.g., in the comment section), the malicious code was also embedded inside, waiting to be executed by every future visitor to that page."

The code instructed their browsers to send one web request per second to the DDoS victim, flooding the target with some 20 million GET requests, Gaffan added. One request a second is manageable for most sites. But as Atias and Gayer wrote:

When dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos."

Does that reference to cat videos narrow the comprised site to YouTube.com? Gaffan isn’t saying. Yet.

"I can’t disclose the domain name in question at this time until the vulnerability is fixed," he said.

'Clever' Attack

The attack comes on the heels of the release of Incapsula's 2013-2014 DDoS Landscape report, which found attacks have increased 240 percent in the past year. The report notes:

2013 was a game-changing year for DDoS attacks, with higher-than-ever attack volumes and rapid evolution of new attack methods. Now, the perpetrators are looking to raise the stakes even higher by introducing new capabilities, many of which are specifically designed to abuse the weaknesses of traditional anti-DDoS solutions. As a result, in 2014, many IT organizations will need to rethink their security strategies."

To understand what happened, you have to understand a few basics.

A malicious hacker uses a DDoS attack to make a computer resource — be it a website, application, email, voicemail or network — stop responding to legitimate users. As Gaffan explained, the target becomes overwhelmed by the attacker’s requests. That can cause it to stop responding, resulting in long delays and outages.

The virus-infected computers are called zombies, because they do whatever the DDoS perpetrators command them to do. The attack, Gaffan noted, was device agnostic. Because it exploited JavaScript, it didn't matter whether someone was using the compromised site from a PC, a Mac or a mobile device.

Cross-Site Scripting (XSS) flaws are the result of improper filtering of user input and can allow attackers to inject unauthorized script code into web pages.

2014-08-April-xss-ddos-attack

By all accounts, the attack was ingenious. As one hacker told me today, "By using an XSS vulnerability, there was no need for any malware to be installed on the user's computer. It's very clever and would have worked on almost anybody's computer, regardless of operating system or antivirus software. All that is needed is for someone to load the website in a browser, and the attack is on. The problem with this, is that it is very easy to fix from the website side of things."

The video site could have prevented this code from being executed by looking out for XSS vulnerabilities in its code. "Every site should have good coding practices and security," Gaffan added.

But Why?

That's the big unanswered question. Hackers engage in DDoS attacks out of anything from boredom to proof of concept to literally anything else you can imagine, from anonymous hacktivism (breaking into a computer system for a politically or socially motivated purpose) to business feuds.

"Sometimes the attacks are launched by competitors," Gaffan said. More often, the motive is ransom: attackers will take down a site and then offer to restore it for a payment as low as $300. Because the ransom requests rarely exceed $1,500, many businesses will opt to pay it rather than deal with the consequences of an extended outage.

That, of course, only fuels the possibility of future attacks, Gaffan said.

It will be interesting to see what evolves with this incident, especially if Incapsula releases more details about the comprised and target sites. For now, you may want to resist the urge to watch too many viral videos, no matter how much those kittens of any species entice you.  

Title image by Asa Aarons/all rights reserved.