Copycat Attacks? Vandals Continue to Attack Smaller Web Sites; Investigation Goes Global

Feb. 18  While attacks against high-profile Web sites seem to have subsided for the moment in the U.S., assaults and pranks aimed at smaller sites are continuing around the globe, leading investigators to fear copycats might now be playing a role.

Over the weekend, RSA Security Inc., an Internet security company based in Bedford, Mass., became the victim of a cyber attack. A number of company-owned URLs which would normally direct traffic to the RSA main site redirected traffic to a spoof computer located at a university in Colombia, where a mimicked version of the RSA page was posted that read RSA Security Inc. hacked. Trust us with your data. Praise Allah. Owned by Coolio.

Early in the week Latin America witnessed a number of Web-related incidents this week, from the knocking offline of a newspaper portal in Colombia and a government election site in Peru to the defacement of sites in Mexico and Argentina with mocking graffiti. And yesterday the U.S. government shut down its EPA Web site, fearing vulnerabilities made public in recent media coverage would make it a target. As of Feb. 9, the FBI has opened four new investigations of distributed denial-of-service attacks. The current total is more than 17 investigations, including more than 13 where the victim suffered a distributed denial-of-service (DoS) attack, FBI spokeswoman Debbie Weierman said Thursday.

Only eight of the DoS victims have been identified publicly. Tracing Attack Patterns The possibility of copycats is out there, as are other theories, with these piggyback incidents, Weierman said. As the investigation broadens, investigators wont reveal the patterns they have found in the logs of target and middleman computers that lead them to suspect some copycats are at work since such large, frequently used electronic commerce sites like eBay and Amazon.com were attacked last week. But one factor that contributes to the theory is the use of more than one type of tool to mount the attacks. Without saying when they have been employed, FBI Director Louis Freeh has identified three such tools: TFN for Tribal Flood Net, trinoo and stacheldraht (the German word for barbed wire.) Some can be downloaded free from Internet sites.

Mafiaboy Suspected in Attacks Michael Lyle, the chief technology officer for Recourse Technologies Inc., an Internet security company in Palo Alto, Calif., told ABCNEWS.com that a hacker who calls himself mafiaboy is believed to be responsible for at least two of the attacks on leading Web sites. Chat room logs now in the possession of the FBI show that mafiaboy asked others what sites he should take down  before the sites were attacked, Lyle said.

In a later conversation with Lyle, mafiaboy claimed credit for attacking CNN.com, E*TRADE and several smaller sites, and he shared technical information that only someone involved in the attacks would know, Lyle said. Mafiaboy, who has been described as a 15-year-old Canadian, is believed to be a copycat who launched his attacks only after Yahoo! was knocked offline on Feb. 7. Dozens of hackers have claimed credit for the attacks in online chats, but Lyle says mafiaboy is the only one so far who appears to be credible.

Others Sought for Questioning The FBI also interviewed a hacker called coolio in connection with last weeks Web attacks, but he denied any involvement. Coolio is well known to authorities as a member of Global Hell, a group of teenagers who have hacked into White House and Department of Defense computer systems. The officials said members of Global Hell are still under investigation in connection with last weeks Web attacks. The FBI began investigating after leading Web portal Yahoo! was attacked and made inaccessible for several hours on Feb. 7. Then, on Feb. 8, Buy.com, Amazon.com, eBay and CNN.com were assaulted. And on Feb. 10, technology site ZDNet and online trading site E*TRADE suffered attacks. As many as 13 Web sites may have been attacked. Known as denial-of-service attacks, the assaults effectively overloaded Web sites with mock traffic so that real users couldnt access the sites. The culprits took over computers in various parts of the world and used them to bombard the victims sites with data

http://www.abcnews.go.com/sections/tech/DailyNews/webattacks000218.html

-- Martin Thompson (mthom1927@aol.com), February 21, 2000