Mysterious DDOS Attack Against Top 50 Website

cloud_400_273

An undisclosed website which ranks within the global Alexa Top 50 has been disabled by a targeted DDOS attack. Reports have indicated that the affected website is a “high profile video content provider, which allows its users to sign in with their own profiles.”

The attack, which is currently being mitigated by cloud-based web security provider Incapsula, is unique in that it leverages a vulnerability in the comments section of videos posted on the site. This vulnerability has allowed the attacker to insert a small piece of JavaScript code into the <img> tags associated with profiles he or she has registered on the website. To carry out the DDOS, the attacker then used those modified profiles to comment on popular videos.

As a result, each time a video with a comment from the attacker was viewed by a real user, the malicious JavaScript initiated a series of steps which hijacked the real user’s browser to carry out the DDOS attack. DDOSs, or Distributed Denials of Service, work by overloading a website’s server with “GET” requests for information from other websites. This recent attack was designed to initiate 1 GET request per second each time a user viewed a video for the entire duration of that video’s viewing. In all, the attack hijacked over 22,000 users’ computers and initiated over 20 million malicious GET requests to websites on the attacker’s CnC server.

WHOIS the Victim of this Attack?

Incapsula has yet to reveal the identity of the affected website because the vulnerability that has allowed for the attack has yet to be repaired. This is a commendable approach to resolution, because in the world of malware such revelations can often do more harm than good. Nevertheless, the press surrounding the attack has already clued the attacker in, and according to a blog post written just yesterday the attacker has already upgraded the DDOS tool used on their CnC server to a more powerful version. Incapsula has also stated that they believe this attack may merely be a trial run for something larger in the future.

In the coming days – or maybe even hours – the identity of the victim will likely be revealed. In the meantime, readers interested in playing detective might find it interesting to peruse Alexa’s Global Top 50:

http://www.alexa.com/topsites/global;0

Hint: It’s probably not Youtube ;)

Have a Great (Malware-Free) Day!