A hacker group on Wednesday brazenly ramped up its antics as unrelenting waves of cyberattacks expose how poorly defended many networks are against Internet marauders.
“It’s becoming a big problem, because at the end of the day these guys are doing whatever they want,” said Panda computer security labs technical director Luis Corrons. “This is showing us that we have a long way to go to protect our systems and our information.”
US payroll-handling firm Automatic Data Processing on Wednesday joined a growing list of victims that has included Sony, the International Monetary Fund and Citibank.
Hackers calling themselves Lulz Security have claimed in recent weeks to have cracked into Sony, Nintendo, the US Senate, the Public Broadcasting System news organization and an Infragard company that works with the FBI.
The group is flaunting its notoriety with a telephone hotline for people to call and suggest targets for cyberattacks.
“Our number literally has anywhere between five and 20 people ringing it every single second,” members of the group said in a message on their @LulzSec Twitter account.
Setting up a telephone hotline was “kind of eccentric” given that the hackers could have easily set up an online forum asking for targets, according to Corrons.
“These guys are upsetting a lot of people,” Corrons said. “They think they will never be caught, and that could be their biggest mistake.”
Lulz has stepped into the spotlight during an unrelenting wave of cyberattacks with apparent motivations ranging from spying and profit to glory and activism.
“As we get more connected more of the time, the number of potential attackers is growing because anyone can do it from anywhere in the world,” Corrons said. “As the number of potential attackers grows, the number of successful attacks grows.”
Hacker group Anonymous, from which Lulz is believed to have formed, gained notoriety with cyberattacks in support of controversial website WikiLeaks.
Unlike cyber criminals who amass armies of “zombie” computers by stealthily infecting machines with viruses, people volunteered to install software in support of Anonymous campaigns, according to Corrons.
“Anonymous has been out there for years,” Corrons said, noting the group had launched attacks on music or movie firms taking people to task for pirated songs or films.
“When the WikiLeaks case came, they reacted fast and gained a lot of popularity,” he said.
Anonymous used a tried and true distributed-denial-of-service (DDoS) attack that overwhelms websites with simultaneous requests for pages or other bits of content.
At times about 5,000 computers, each firing off about 10 requests per second, took aim at websites for Anonymous, according to Spain-based PandaLabs.
“There are not so many people now as there were a few months ago; I see fewer people connected,” Corrons said of Anonymous. “Maybe people are realizing that you can protest, but this is not the best way.”
Lulz may be related to Anonymous, but its tactics are more sophisticated.
Lulz cracks computer system defenses instead of simply flooding websites with page requests.
“In the Lulz group, they know what they are doing when it comes to breaking into places,” Corrons said.
“It’s their way to say the security here sucks and we are going to show you why,” he continued. “Based on the way they act, I would say they are young people.”
Other attacks reported in recent months, such as those on the IMF, weapons maker Lockheed Martin, and Gmail accounts connected to Chinese activists, bore signs of being the work of spies with political or financial objectives.
“This is showing us that we have a long way to go to protect our systems and our infrastructure,” Corrons said. “This is a failure from private companies and even security companies — there is a lot of room to improve.”