As "Anonymous" Internet users formulate plans to punish Bank of America for refusing to provide services to WikiLeaks, a new report from Harvard University warns that Anonymous-style cyberattacks are a potent and increasingly common weapon.
Bank of America on Dec. 17 joined several other financial institutions in refusing to process financial payments for WikiLeaks, which has come under fire since its Nov. 28 decision to begin publicizing some 250,000 secret US diplomatic cables. The bank said in a statement that the secret-spilling organization “may be engaged in activities that are, among other things, inconsistent with our internal policies for processing payments.”
Almost immediately, online activists under the Anonymous banner began plotting “Operation BOA Constrictor” against the biggest US bank by assets. A source close to Anonymous confirmed to the Monitor that Operation BOA Constrictor is in the works.
At the Anonymous-frequented website “Truth Is Revolutionary,” a message thread created Dec. 18 was titled “Proposal for new Ops: Operation BOA Constrictor.”
“I would like to prepare, organize and coordinate with the upcoming WikiLeaks release of BOA material, a protest against the Bank of America. The protest could take any form,” states the first message, posted under the name “Zarly." The same user later in the thread suggests protest methods such as “mass fax, flood email servers, mass sticker/poster campaign, sit-ins, phone-ins, various media blitz techniques, truth outs…”
There are Internet rumors that WikiLeaks has documents embarrassing or harmful to Bank of America. WikiLeaks founder Julian Assange said in an interview reported yesterday that he has dirt on a "major bank," which he didn't name.
BOA defenses against DDoS attacks
Noticeably absent from the above list of protest suggestions is distributed denial of service (DDoS) attacks, which is when a large number of computers simultaneously attempt to access a website, overloading it with information requests. Anonymous used DDoS attacks in its previous "Operation Payback" to briefly crash the websites of Visa and MasterCard after those companies earlier this month refused services for WikiLeaks.
However, Amazon, which kicked WikiLeaks off of its web server this month, was unaffected by DDoS attacks. The online retailer has strong defenses against cyber attacks.
Likewise, Bank of America probably confronts DDoS attacks regularly and likely has strong defenses, Rich Mogull, an analyst and CEO with the security research firm Securosis, told the Associated Press.
Bank of America spokesman Scott Silvestri declined to comment on the matter when reached by phone and e-mail by the Monitor.
Harvard: DDoS used for political and criminal aims
Operation BOA Constrictor comes as Harvard University’s Berkman Center for Internet & Society released a report Dec. 20 warning that DDoS attacks are becoming more prevalent while remaining difficult for most websites to combat.
"With recent highly publicized DDoS attacks on WikiLeaks, and ‘Operation Payback’ attacks by ‘Anonymous’ on sites perceived to oppose WikiLeaks, we expect these attacks to become more common,” according to the report, titled “Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites.”
While Anonymous released a statement earlier this month saying its intent is not to harm the public, its DDoS attacks do have a monetary affect on website users who are in effect forced to pay higher costs so that MasterCard, Visa, and PayPal can beef up their anti-DDoS security, according to the Berkman Center’s report. It also warns that DDoS has in the past been utilized to blackmail victims for financial gains.
"By harnessing a large number of computers – often computers compromised by malware, allowing remote users to control the computers' behavior without the users' knowledge – criminals are able to render a website unusable, then seek ‘protection money’ from the site's owners. But DDoS is also used for a variety of non-financial reasons, including political ones," the report states.
So far, Anonymous’ actions appear to be merely political and not for financial gain, although Anonymous’ end-motives are unknown.
The weakness in DDoS
DDoS attacks were first seen in 1998, according to the report, when artist Ricardo Dominguez built FloodNet, a tool designed to allow activists to crash the websites of the Frankfurt Stock Exchange, the Pentagon, and Mexican President Ernesto Zedillo. In 2000, then-15-year-old Michael Calce used DDoS to take down the websites of Yahoo, Buy.com, eBay, CNN, Amazon.com, ZDNet.com, E*Trade, and Excite.
More recently, the organization “Help Israel Win” invited individuals to install “Patriot DDoS” on their PCs to attack a presumably Palestinian target.
During the Iranian Green Movement protests of 2010, protesters used DDoS attacks against President Mahmoud Ahmadinejad's website. The Berkman Center’s report also noted frequent attacks between certain countries, including Israel/Palestinian territories, Russia/Georgia, and China/USA.
The “Operation Payback” attacks require participants to download software named “Low Orbit Ion Cannon” (LOIC), which allows a computer to become part of a botnet controlled by administrators of the Anonymous group. These so-called voluntary botnet attacks are "powerful because they involve large numbers of compromised computers, each of which might be a legitimate user trying to reach a website.”
DDoS attacks using a voluntary botnet do have their weaknesses, the Berkman Center’s report notes. Among them is the willingness of a large number of people to participate. “One downside of this sort of attack for the attacker, however, is that a volunteer attack can be difficult to maintain, since it requires maintaining the interest and participation of the volunteers. It also suggests that attacks using this technique will be most likely to affect targets that can harness the ire of a large group,” the report states.
It remains to be seen what kind of interest Anonymous participants have in targeting Bank of America.
The Charlotte, N.C.-based bank has attracted widespread ire in the US for moving to foreclose on more than 100,000 homes this year. Bonus season, too, may set off frustration among a public that had to bail out America’s banks, including government funds for Bank of America, whose top directors might earn a $1 million bonus while top vice presidents could net $600,000, The New York Times reported this week.