Symantec: Data-stealing hackers use DDoS to distract from attacks

Symantec says it has detected a new type of disguised attack that uses a distributed denial-of-service (DDoS) to draw a business's attention away from a more important security breach.

The multi-vector attack includes the DDoS as a bluff so it can quietly target another vulnerability, the company said at the RSA Europe 2012 conference in London on Tuesday.

"It's an attack where multiple seemingly different attacks are launched by an adversary on a target," Francis deSouza, Symantec's head of enterprise products and services, said during a keynote speech. "DDoSes have gone from being a blunt-forced attack to being a sophisticated diversionary attack to disguise another attack."

DeSouza said financial services companies handling vast amounts of data are most susceptible to these tactics.

In the past year, for example, phishing attacks have been directed at IT administrators at European banks, he noted. These eventually enabled malware to penetrate the banks' systems and steal login credentials.

As soon as the criminals had the login details, they launched the DDoS attacks against the banks. This was carefully timed so that it occurred on a Friday afternoon when IT departments were thinly staffed.

"Once the attack was launched, the IT department predictably moved resources to deal with DDoS attack," said deSouza.

While this was happening, the cybercriminals launched the real attack, which allowed them to grab and clone private data that could be used to steal money.

They then handed the operation over to the monetisation team, who created ATM cards, debit cards and credit cards, which were handed out to money mules.

The cybercriminal gang hired individual contractors who took the cards to ATM machines and drained $9m in 48 hours from a selection of accounts in cities across the world.

DeSouza argued that the most effective way to prevent attacks is not just to look out for DDoS but to look at the end-to-end attack in its entirety.

Multi-flank attacks

However, Art Coviello, executive chairman of RSA, told ZDNet that he has observed multi-flank attacks for several years.

"We ourselves are a victim of such attacks," said Coviello, referring to the security provider he represents. "We're only as strong as the weakest link, because an attack on one company could be used to perpetrate an attack on a second company, which could be used to perpetrate an attack on a third company.

"That just speaks to the level of sophistication that these guys are going to, and I do find it quite chilling."