A group of security boffins have joined police and intelligence spooks in a clandestine mission to identify those behind distributed denial of service (DDoS) extortion attacks against major banks.
An attacker using the handle DD4BC (DDoS for Bitcoins) is launching large DDoS attacks against banks and other big business in the UK, Europe, the US, and Australia and New Zealand demanding Bitcoin payment for the assaults to end.
The details of the secretive group, which boasts skills in actor attribution, are being kept under wraps to avoid tipping off the criminal who is thought to be a lone wolf.
Its work, says Roland Dobbins of Arbor Network's security engineering and response team, will likely precipitate an official intelligence investigation should the extortionist continue to launch DDoS attacks against big banks.
"There is a very, very active posse who are trying to identify the actor and intelligence agencies in some jurisdictions are after DD4BC," Dobbins told the AusNOG conference in Melbourne, Australia, today.
"There is no cross-jurisdictional taskforce set up yet as far as I know but there are some closed, vetted operational security groups trying to track down the threat actor.
"I think DD4BC is one person who is reasonably tech savvy but not an innovator."
The attacker will escalate the probe into a full investigation if they continue to hit banks, Dobbins says.
The attacker has targeted large organisations including banks and enterprises with DDoS attacks maxing out at 60Gbps. Demands are for payment of Bitcoins that vary in value depending on the resources of a victim, from one to 100 Bitcoins equating to US$227 to US$22,700.
Attacks will last between six to 15 hours before a demand is made using email. It continues with a subsequent higher extortion price if a victim raises security defences or does not make payment.
Dobbins says some targets have been hit up to 20 times.
The DDOS attacks are made through for-hire online booter or stresser services that are shooting relatively new Simple Service Discovery Protocol (SSDP) traffic which causes vulnerable embedded devices like smart TVs to fire unsolicited responses at a target.
That technique, detailed in Dobbins' side deck (PDF) is adopted by booter services and hard to combat since it resembles regular traffic.
He says there is no reason for embedded devices to use even for gaming, and urges all users to turn it off.
Victims of DD4BC should refuse to pay and inform police and networking colleagues to spread intelligence on the group.
So far at least one unnamed organisation has paid the ransom, despite that all victims deny doing so.
"Buy some time, pretend you speak a different language, but above all don't pay because the attackers will be back," he says. ®