FINRA memo June 19, 2015 announces: An increasing number of member firms have been subjected to DDoS attacks originating from a cyber-criminal group called DD4BC.
The latest in ongoing efforts by cyber criminals to extort money and disrupt practices for online business. The cyber-crime group DD4BC is one of the most active at DDoS attacks on industry’s, asking for ransom payments in exchange for the return of website service. Many businesses do not understand what a DDoS attack is and how they occur. Nor, do they understand what to do if they become subject to an attack.
Ransom demands for large firms can be several thousand if not hundreds of thousands of dollars in BitCoin. The danger in paying the ransom to DDoS blackmailers is that it encourages them to attack. In some cases the attackers will make repeated attacks and repeated blackmail demands.
FINRA is notifying financial and securities firms to be on the lookout for these types of attacks and be prepared with a plan in place to mitigate damages and reduce business disruption.
What is a DDoS attack?
Distributed Denial of Service Attack (DDoS) Definition: A distributed denial of service (DDoS) attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet.
Distributed Denial of Service Attacks are different from Denial of Service (DoS) attacks in that with a DDoS the server under attack will be inundated with attacks from multiple sources, making it impossible to tell legitimate traffic from attack traffic.
How does it work:
DDoS attacks usually involve multiple compromised systems, which are often times infected with a Trojan. The Trojan is used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack are crippled by both the end targeted system and all additional systems maliciously used and controlled by the hacker in the distributed attack.
What does a DDoS do:
In a DDoS attack, incoming traffic floods the victims website and servers with inbound messages from many different sources. Messages come in from potentially hundreds of thousands of locations. Sending server requests from thousands of sources, effectively makes it impossible to stop the attack simply by blocking a few IP addresses (something you can often do for a regular DoS attack). As one can imagine, under a DDoS attack it becomes very difficult to distinguish legitimate user traffic from attack traffic, and the site fails because it can’t handle the traffic.
Attacks on FINRA Member firms and Financial Services
The DDoS attacks FINRA is cautioning about render a website or network unavailable for its intended users by sending an overwhelming number of incoming messages to the website, causing the site to “fail to load” or show as “unsecure” when legitimate users try to access it.
Cyber Crime Group DD4BC makes extortion demands on targeted systems
The end goal for DD4BC criminals in these attacks is extortion. DD4BC criminals will first send a firm an email announcing their plan to target the website with a DDoS attack. They further state, the attack can be avoided by paying ransom in BitCoin. To prove they are serious, DD4BC initiates a minor attack, with a threat of more attacks if the ransom is not paid within 24 hours.
A bounty on the DD4BC cyber crime group
The Bitcoin community and other firms are fighting back. A recent threat to Bitalo.com (a bitcoin exchange firm) resulted in Bitalo offering a reward of 100 times the amount DD4BC had asked for. Other firms have also pledged “would be blackmailed” bitcoin rewards for information leading to the arrest and conviction of DD4BC criminals.
What to do if faced with an attack:
A firms first point of contact in the event of attack is the local FBI office, Cyber Crimes division. The FBI works diligently in tracking and capturing these cyber criminals. The earlier they have information about an attack, the better their chances are at locating the criminals and alerting other firms to danger. Additionally, FINRA is asking that financial firms notify the SEC and FINRA. They will use this information to identify the extent of industry attacks and help firms stop these crimes.
FINRA contacts for DDoS attacks:
David Kelley, Surveillance Director (816) 802-4729
Chris Longobucco, Regulatory Principal, IT Controls (312) 899-4394
Len Smuglin, Principal Examiner (212) 416-1595
Prepare in advance for an Attack:
Most DDoS attacks start as a sharp spike in traffic. Familiarize yourself with typical inbound traffic statistics for your website by auto-generating reports to monitor traffic on a daily and weekly basis.
Work with your website host to “overprovision” band-width for your website. This can often be done for very little additional cost. And, while it is not likely to prevent damage from an attack, it could add a few minutes of lead time. Also, many host companies can set up alerts to notify you if there is a sudden spike in band width usage.
What is your response plan:
Prevention is the best strategy. Have your system evaluated for best practices before an attack starts. If you need help there are DDoS mitigation firms that specialize in securing IT systems to detect, monitor, and block attacks. Determine where your system is weak and make changes to improve security.
Have a contingency plan in place to reach customers if the firm’s website is unavailable. Alternative communication methods include customer service phone support and cloud based communication portals.
Maintain email and VOIP phone service on a different server than your website. DDoS attacks tend to cripple everything on the server. Segregating digital data through separate network connection hosts adds a layer of protection for confidential email lists and customer data.
What to do if you are under attack:
Call your website hosting company or ISP to let them know of what’s happening. They may be able to make routing adjustments to your traffic and prevent malicious traffic from making it in to your website.
DDoS mitigation and monitoring services can also provide assistance. If needed, website hosts and ISP’s can direct you to a company that specializes in scrubbing data and diverting traffic when under DDoS attack.
If the attack is lasting a relatively long time, direct your site to a hosted “We Are Down “ landing page for customers. Use the page to provide customers with alternative ways to reach your firm. This will bring confidence to your customers and save them the frustration of multiple unsuccessful attempts to reach your company online.
Filed under : Cyber Crimes, DDoS, extortion, bitcoin, DD4BC, FBI,
RND Resources provides Cyber-Security risk assessment and regulatory compliance consulting to Securities Brokerage firms. Regulatory firms like FINRA and the SEC are strengthening cyber security standards for member firms and increasing sanctions on firms with weak cyber infrastructures. Ask us to review your procedures and controls for sound governance.