Anonymous Could Lure Innocents In DDoS Attacks

Hacktivist collective Anonymous has made joining a denial-of-service attack as easy as clicking a link on a Twitter post, making it possible to gather an army of unwitting participants.

Graham Cluley, senior technology consultant for security vendor Sophos, was the first to report on Anonymous' new "tactical attack technique," which was used against the U.S. Justice Department Web site last week. The attack followed law enforcement's take down of Megaupload.com, a file-sharing site accused of costing the entertainment industry a half-billion dollars in losses from illegally shared movies, music and software.

Links posted on Twitter and elsewhere on the web pointed to a page on the pastehtml.com web site. Visiting the page would execute JavaScript that would use the visitor's computer to flood a web site of Anonymous' choosing with traffic. To avoid becoming a victim, people would have to disable JavaScript on their computers.

Previously, Anonymous encouraged sympathizers to install a program called LOIC, or Low Orbit Ion Canon, in order to join a DDoS attack. The latest technique ups the ante by making it possible to trick people into becoming participants. "This can of course be used on Facebook/Twitter and other sites to lure unsuspecting users," Carl Herberger, vice president of products at network security vendor Radware, said Tuesday in the company's blog.

Whether Anonymous can combine the technique with other software tools, beside JavaScript, to expand its capabilities is not known, Herberger said. In addition, security technology normally used to defend against DDoS attacks may not be effective against this new approach.

Overall, the new method "escalates the hactivist war and adds yet another effective technical technique to their (Anonymous) basket of tricks," Herberger said.