WikiLeaks Supporters Hit PayPal And PostFinance

The Anonymous group of hackers who launch distributed denial of service (DDoS) attacks against the entertainment industry has refocused their campaign to target companies perceived to be anti-WikiLeaks. In response, the same group is also currently under a DDoS attack for supporting the whistleblowing site.

“We fight for the same reasons,” such as more transparency and stopping censorship, and will “attack those against” WikiLeaks, the group said in a statement on its Web site. The group plans to do several things, including organising distributed attacks on “various targets related to censorship”, according to the statement.

Attack and Counterattack

Dubbed Anonymous, the group has an ongoing “Operation Payback” campaign against “anti-piracy groups” and have targeted Motion Picture Association of America and the Recording Industry Association of America in the past, as well as the UK’s Intellectual Property Office.

The first victim of the group’s new campaign was PayPal, the online payment service owned by dBay. Anonymous knocked PayPal’s blog offline early on 4 December, because PayPal had ceased to process donations to WikiLeaks, according to the cyber-security researchers at Panda Labs.

WikiLeaks had been using PayPal to gather donations to keep its site online, but the PayPal service has prevented this, restricted the WikiLeaks site’s account for violating the Acceptable Use Policy with “activities that encourage, promote, facilitate or instruct others to engage in illegal activity”.

As PayPal’s blog went down, an announcement on Twitter said: “TANGO DOWN – thepaypalblog.com – Blog of PayPal, company that has restricted WikiLeaks’ access to funding.”

PayPal got the blog back online after eight hours and 15 minutes of total downtime and 75 service interruptions, according to the Panda Labs researchers.

It was not over, as a second attack hit the main PayPal site on December 6.

Shortly after, Anonymous apparently came under counter-attack. Its site became unavailable, “presumably under counter DDoS attack” said Panda Labs. The site carried a note confirming that it was under “heavy” DDoS attack more than six hours after it began.

Despite being hit, Anonymous targeted PostFinance, the Swiss bank that froze $41,000 (£26,000) in an account set up as a legal defence fund for WikiLeaks founder Julian Assange, on Monday afternoon. PostFinance’s Web site went offline around 5pm GMT according to Panda Labs. It remained offline for at least ten hours, but is now accessible.

DDoS becomes a protest medium

DDoS attacks are becoming the tool of choice for making a statement to protest “hacker injustice”, according to Noa Bar Yossef, a senior security strategist at Imperva. In classic attacks, hackers have been trying to make money, but Operation Payback’s supporters are using the attacks to “cripple a service, disrupt services, protest their cause and cause humiliation,” said Yossef.

In the classical scenario, the DDoS attacks are carried out by botnets comprised of zombies, computers belonging to innocent individuals who’d been tricked into downloading bot malware, he said. In Operation Payback, however, participants are “knowingly” downloading the “DDoSing malware itself,” and there is “no victimised machine” in this “act of defiance,” he said.

DoS attacks on WikiLeaks which began before the whistleblowing site was set to post more than 250,000 diplomatic documents, are also motivated by politics rather than greed. The attack was to punish WikiLeaks for “attempting to endanger the lives of our troops, ‘other assets’ & foreign relations”, according to “th3ef35t3r”, who claimed responsibility on Twitter.

The WikiLeaks.org Web site was down for “1 day 3 hours and 50 minutes”, according to Panda Labs. After a second DDoS attack by an unknown attacker, Amazon terminated its hosting services. On December 3, the site’s DNS provider, everyDNS, stopped service after yet another DDoS attack hit.

The first attack was a “simple DDoS” as he does not use “intermediaries or botnets”, according to th3ef35t3r’s Twitter account. The attack was carried out by the XerXeS tool, which can produce an automated DDoS attack from a single low-spec computer, according to Anthony Freed, of security site Infosec Island.

An Anonymous member posted on Twitter, “I’m not anti-government, anti-establishment, or anything of that sort. I’m just anti-… anti-WikiLeaks.”

Operation Avenge Assange

Anonymous is also circulating a statement titled “Operation Avenge Assange”, asking for supporters to join in the DDoS attacks and mirror WikiLeaks, among other actions. According to the WikiLeaks site, there are already over 350 mirror sites helping to keep the site’s content online.

Anonymous has not said who the next targets will be or whether the list will include Amazon and everyDNS. There is some speculation that the group will somehow target the French government for pressuring the Franch-based ISP OVH.co.uk to stop hosting the site.

“Whoever tries to silence or discourage WikiLeaks, favours world domination rather than freedom and democracy,” the group said.