Incapsula mitigated an application layer distributed denial-of-service (DDOS) attack against one of its customers earlier this week. The attack is interesting because the cybercriminals have leveraged a vulnerability in a popular website to carry out the operation.
Traffic hijacking techniques have been used to flood the targeted with over 20 million GET requests from 22,000 web browsers.
It’s important to note that the site allows users to sign in with their own profiles. The attackers exploited a persistent cross-site scripting (XSS) vulnerability that enabled them to inject into the <img> tag associated with the image of the user profile.
This meant that malicious code could be embedded each time the image was utilized. Whenever someone visited pages containing the image, the malicious code was executed.
“There, an Ajax-scripted DDoS tool hijacked the browser, forcing it to issue a DDoS request at a rate of one request per second.”
One request per second might not seem enough for a big DDOS attack, but considering that it’s a popular video site that gets thousands of views every minute, the cyberattack can be disruptive.
In order to increase the efficiency of the attack, the attackers planted the maliciously crafted images, via comments, to popular videos. While the site’s visitors were viewing the videos – some of which 30 minutes in length – they were unknowingly helping the cybercrooks disrupt the targeted website.
Incapsula’s systems quickly blocked the attack, and the company intercepted the malicious requests in an effort to track down the source. That’s how they’ve identified the video site.
The website’s support team has been notified of the existence of the persistent XSS vulnerability.
Based on their analysis, Incapsula researchers determined that the attack they mitigated had been just a run. Shortly after the attack, the cybercriminals updated their C&C domain to make their operation more robust.