DDoS Attacks as a Smokescreen for Theft

A distributed denial-of-service attack (DDoS) is an attack where multiple compromised computer systems attack a target, like a website or server, causing a denial of service for users. The flood of incoming messages or connection requests forces the target system to slow down, crash or even shut down altogether.

DDoS attacks are the worst nightmare for an IT team. The sudden flood of internet traffic that they bring can bring a system tumbling down. Even more so if your business primarily deals online – it could absolutely cripple a business, potentially even putting you out of business.

But DDoS attacks could also be used to disguise data theft, as happened with Carephone Warehouse two years ago. Hackers conducted an attack on Carphone Warehouse’s websites (including onephoneshop.com and mobiles.co.uk) with junk traffic as a smokescreen, before breaking into systems and stealing the personal details of 2.4m customers. In addition, up to 90,000 subscribers may have had their card details stolen.

This isn’t the first time DDoS has been used like this, either; an attack was used to cover up illegal wire transfers from compromised bank accounts in 2012. The corporate bank accounts of California-based construction firm Ascent Builders had its funds illegally drained, and shortly after, the company’s banker was hit with a DDoS attack, bombarding it with traffic. As the theft was carried out, hidden behind the DDoS attack, Ascent were oblivious.

In 2014 the Federal Financial Institutions Examination Council, a government agency responsible for setting banking standards and principles, warned of the ongoing risk of DDoS attacks. They remarked that they “expect financial institutions to address DDoS readiness as part of their ongoing information security and incident plans” and elaborated that “each institution is expected to monitor incoming traffic to its public website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate”. The agency encouraged banks to, if they already hadn’t, develop some sort of DDoS readiness plan that assesses any risks in their systems.