Months of distributed denial of service attacks against major U.S. banks have evolved in magnitude and ferocity causing service disruptions for online banking customers. They’ve also shown the way for other attackers to adapt and evolve techniques used in those attacks.
Apparently, someone is building a formidable botnet of compromised WordPress accounts that is likely to be used in a much larger attack, some experts are speculating. Similar to some of the late-stage bank DDoS attacks that used Web servers to generate unprecedented levels of traffic targeting online banking services, this WordPress botnet could be as disruptive.
Attacks against WordPress sites began last week, when some Web hosts and security experts reported brute-force attacks against administrative credentials using a combination of “admin” as a user name, and a list of common passwords. Compromised sites built on WordPress would notice slower back-end operations, log-in difficulties, or downtime.
Web host HostGator said it had seen more than 90,000 IP addresses involved in the attack. “The attack is well organized and very distributed,” wrote engineer Sean Valant on the company’s Gator Crossing blog.
Sucuri Security, a Web monitoring company in California, said it has noticed the number of log-in attempts blocked on the customer sites it monitors more than triple through the first two weeks of April—more than 77,000 a day. It added that common user names such as “admin”, “test,” “administrator,” “Admin,” and “root” top the list of log-in attempts. As for password attempts, “admin,” “123456,” “qwerty,” and many other common passwords are being used in the brute-force attacks.
CloudFlare CEO Matthew Prince said the attackers could be using a botnet of home PCs to build a bigger arsenal of compromised machines.
“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Prince said. “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”
Attacks against U.S. banks spiked in January and again in March to upwards of 100 Gbps of traffic, sent from a relatively small number of compromised Web servers. Attackers, claiming to be protesting a movie “Innocence of Muslims,” are taking a liking to Web servers as a launch pad for DDoS attacks because of the higher processing power of a server, bandwidth and access they have to a Web host’s network and bandwidth.
In October, security company Prolexic identified one of the tools used in the attack as an offshoot of the Brobot, or itsoknoproblembro, toolkit. The malware attacks content management systems such as WordPress or Joomla and is capable of launching high bandwidth attacks at multiple targets simultaneously, a signature of the bank DDoS attacks.
Experts are recommending that WordPress managers change their log-ins, both user names and passwords. There are also security plug-ins available and two-factor authentication options available from WordPress. CloudFlare has also released a free tool that it said mitigates this attack.