A loose affiliation of WikiLeaks supporters has come forward online to clarify why they’ve launched data-flooding attacks on Visa (V) , MasterCard (MA) , eBay’s (EBAY) PayPal and other sites that pulled services from the organization, under fire for releasing classified U.S. diplomatic cables.
A press release attributed to the group “Anonymous” was posted Friday at file-sharing site dump.no defines the participants as “not a group of hackers” but “Internet citizens ... fed up with all the minor and major injustices we witness everyday.” The group claims Operation Payback, as the attacks are called, seeks only a legitimate expression of dissent.
“We do not want to steal your personal information or credit card numbers. We also do not seek to attack critical infrastructure of companies such as MasterCard, Visa, PayPal or Amazon (AMZN) ,” the release stated. “We focused on their corporate websites, which is to say, their online ‘public face’. It is a symbolic action ... .”
Prominent Web sites targeted by WikiLeaks hacktivists appear largely back to normal after some suffered outages and slowdowns in the past couple days. Among the big sites, only Visa had much of a notable slowdown in the past 24 hours as of late Thursday, according to Internet services firm Netcraft, which is keeping a log. That showed about 16% of page-display requests failing.
Thursday PayPal Chief Information Security Officer Michael Barrett blogged that: “You may have read that PayPal is one of the sites that has been targeted by supporters of WikiLeaks, who want to bring our site down because they disagree with our business decision to stop working with WikiLeaks. I want to let you know that all PayPal sites are fully operational. ... We can confirm that there have been multiple attempted distributed denial of service (DDoS) attacks on www.paypal.com this week.”
The attacks were not successful, he said, though customers might see slightly slower load times this week.
A Dutch youth has been arrested in connection with the WikiLeaks-affiliated attacks on some sites, as we reported in IBD’s Click blog on Thursday.
Many of the people participating in the hacktivist attacks are believed to be using the “Low Orbit Ion Cannon” tool to automate sending data traffic to a site, in an attempt to flood it enough so that legitimate users can’t reach the site. In this way, the hacktivists are taking part in a voluntary botnet. Till now, botnets have characteristically formed by searching for vulnerable computers, infecting them, and recruiting them to attack sites — against the will of the computer’s owner and often without his awareness.
While the attacks are framed by Anonymous as just a protest against “underhanded methods ... to impair WikiLeaks’ ability to function,” denial of service attacks have long been illegal. After the first major spate of denial-of-service attacks knocked big sites offline in 2000, U.S. Attorney General Eric Holder, who was then deputy AG, testified to Congress: “In addition to the malicious disruption of legitimate commerce, so-called ‘denial of service’ attacks involve the unlawful intrusion into an unknown number of computers, which are in turn used to launch attacks on the eventual target computer, in this case the computers of Yahoo (YHOO) , eBay, and others. Thus, the number of victims in these types of cases can be substantial, and the collective loss and cost to respond to these attacks can run into the tens of millions of dollars — or more.”
This week tech security and network availability firm Radware (RDWR) described some of the difficulties denial of service attacks pose.
“What we observe now is cyber-retaliation,” Radware’s Director of Security Products Ron Meyran said in an e-mail. “Rather than hiring a service, WikiLeaks activists download and distribute attack code among group members to form an ad-hoc botnet, which is then coordinated into DDoS attacks, shutting down sites that have followed government pressure and closed Wikileaks or its founder’s accounts.”
He says the attacks themselves are hard to defend against, and standard network security tools can’t differentiate between real users and machines without impacting their business — their services see all transactions as legitimate.