A cybercriminal group going by the name “DD4BC” is blackmailing financial institutions, threatening to take down their customer websites unless they pay a hefty bitcoin ransom.
DD4BC – which stands for “DDoS for Bitcoin” (Distributed Denial of Service for Bitcoin) – has been targeting firms since mid-2014, so far evading international police forces.
The group initially hit bitcoin mining companies, exchanges and online casinos with a handful of attacks per month. But over the last few months it has ramped up activity and turned its attention to the financial sector – banks, brokerages and automated clearing houses in Europe, Australia and the U.S. To date, the group has carried out almost 150 attacks, 58 percent of which have been directed at financial service companies, according to research by Akamai published on Wednesday.
The U.K. National Computer Emergency Response Team (CERT UK), which runs a national cyber-threat data-sharing initiative, confirms a “marked increase” in reports of DDoS attacks by DD4BC against its partners – which include Lloyd’s Bank and BAE Systems, though there is no suggestion they have been hit.
As cyber-attacks go, DDoS is a blunt instrument. It involves hammering a target website with traffic using a distributed network of computers under the control of one attacker. The aim is to flood the site with traffic to the point that its web server crashes and the site goes offline.
There is a commercial impact – estimated by Neustar to cost up to $100,000 per hour – but these attacks predominantly damage brand perception. “It represents vulnerability,” says Cisco’s Adam Philpott, who heads up cybersecurity in Europe. “If I can't access the service of an organization that’s handling a significant amount of my money, how can I trust it?”
DDoS extortion is not new, but DD4BC is particularly prolific.
“They’ve been industrializing their operation – doing it at a scale and level that has not been seen before,” adds James Chappell, co-founder of security firm Digital Shadows.
The group is going for second- and third-tier financial organisations – ones that have money but not necessarily the defences or technical acumen to deal with a DDoS assault.
Attacks work like this: DD4BC starts a small “demonstrative” attack that lasts less than an hour, to show its capabilities. Then it emails the organisation with links to media coverage about previous attacks to show legitimacy. Within the email are the group’s demands – anywhere from 25 bitcoin ($6,150) to 100 bitcoin ($25,000) – along with a deadline.
“They do their homework, make themselves well-heard and they follow up their threats,” says Morten Kjaersgaard, chief executive of Copenhagen-based Heimdal Security.
“If the organization doesn’t pay – and they shouldn’t - they'll be hit with another DDoS attack with a larger volume and the price will go up. If they [DD4BC] perceive that the organization is taking defensive measures, the extortion payment will increase further,” adds Roland Dobbins, from Arbor Networks’ security engineering and response team.
To Pay or Not to Pay?
According to Dobbins and Kjaersgaard, DD4BC shows a medium level of technical competence, savvy enough to understand bitcoin and to switch between a range of DDoS techniques to find a website’s Achilles heel. However, the perpetrator is using off-the-shelf DDoS attack services – hired out nominally to stress test websites – instead of writing its own code.
By going after such a heavily regulated and valuable industry as banking, DD4BC has attracted the attention of law enforcement and intelligence agencies. The UK’s National Crime Agency wouldn’t comment on DD4BC specifically, but told Bloomberg that it was “aware of” the group’s methods. In the U.S., the Financial Industry Regulatory Authority warns that several members have been affected, and urges victims to contact the FBI.
The advice from security specialists is never to pay such a ransom – it will show your company to be a soft target and damage its reputation.
That hasn’t stopped a number of businesses, including bitcoin gambling company Nitrogen Sports and at least one unnamed bank, from doing so, say researchers. Nitrogen Sports told BitcoinGamblingGuide it paid up to buy time and put additional protections in place.
The good news? Extra server capacity and defense systems can help a target survive a DDoS attack. The bad? While DD4BC is high profile, it’s just one of many cyber-threats faced by financial institutions, such as banking trojans, many of which are more damaging, if less high-profile.
In the meantime, one company has taken matters into its own hand by placing a bounty of 100 bitcoin (around $25,000) on DD4BC’s digital head. Bitalo was contacted last year and refused to play ball.
“We decided to post the bounty to raise awareness and try and get some insider information,” says CEO Martin Albert. Despite a number of leads, the bounty hasn’t been claimed.