WikiLeaks army 'Anonymous' eyes Bank of America with 'Operation BOA Constrictor'
| Boston
As "Anonymous" Internet users formulate plans to punish Bank of America for refusing to provide services to , a new report from Harvard University warns that Anonymous-style cyberattacks are a potent and increasingly common weapon.
Bank of America on Dec. 17 joined several other financial institutions in refusing to process financial payments for WikiLeaks, which has come under fire since its Nov. 28 decision to begin publicizing some 250,000 secret US diplomatic cables. The bank said in a statement that the secret-spilling organization 鈥渕ay be engaged in activities that are, among other things, inconsistent with our internal policies for processing payments.鈥
Almost immediately, online activists under the Anonymous banner began plotting 鈥淥peration BOA Constrictor鈥 against the biggest US bank by assets. A source close to Anonymous confirmed to the Monitor that Operation BOA Constrictor is in the works.
At the Anonymous-frequented website 鈥淭ruth Is Revolutionary,鈥 a message thread created Dec. 18 was titled 鈥溾
鈥淚 would like to prepare, organize and coordinate with the upcoming WikiLeaks release of BOA material, a protest against the Bank of America. The protest could take any form,鈥 states the first message, posted under the name 鈥淶arly." The same user later in the thread suggests protest methods such as 鈥渕ass fax, flood email servers, mass sticker/poster campaign, sit-ins, phone-ins, various media blitz techniques, truth outs鈥︹
There are Internet rumors that WikiLeaks has documents embarrassing or harmful to Bank of America. WikiLeaks founder Julian Assange said in an interview reported yesterday that he has dirt on a "major bank," which he didn't name.
BOA defenses against DDoS attacks
Noticeably absent from the above list of protest suggestions is distributed denial of service (DDoS) attacks, which is when a large number of computers simultaneously attempt to access a website, overloading it with information requests. Anonymous used DDoS attacks in its previous "Operation Payback" to briefly crash the websites of Visa and MasterCard after those companies earlier this month refused services for WikiLeaks.
However, Amazon, which kicked WikiLeaks off of its web server this month, was unaffected by DDoS attacks. The online retailer has strong defenses against cyber attacks.
Likewise, Bank of America probably confronts DDoS attacks regularly and likely has strong defenses, Rich Mogull, an analyst and CEO with the security research firm Securosis, told the .
Bank of America spokesman Scott Silvestri declined to comment on the matter when reached by phone and e-mail by the Monitor.
Harvard: DDoS used for political and criminal aims
Operation BOA Constrictor comes as Harvard University鈥檚 Berkman Center for Internet & Society released a report Dec. 20 warning that DDoS attacks are becoming more prevalent while remaining difficult for most websites to combat.
"With recent highly publicized DDoS attacks on WikiLeaks, and 鈥極peration Payback鈥 attacks by 鈥楢nonymous鈥 on sites perceived to oppose WikiLeaks, we expect these attacks to become more common,鈥 according to the report, titled 鈥溾
While Anonymous released a statement earlier this month saying its intent is not to harm the public, its DDoS attacks do have a monetary affect on website users who are in effect forced to pay higher costs so that MasterCard, Visa, and PayPal can beef up their anti-DDoS security, according to the Berkman Center鈥檚 report. It also warns that DDoS has in the past been utilized to blackmail victims for financial gains.
"By harnessing a large number of computers 鈥 often computers compromised by malware, allowing remote users to control the computers' behavior without the users' knowledge 鈥 criminals are able to render a website unusable, then seek 鈥榩rotection money鈥 from the site's owners. But DDoS is also used for a variety of non-financial reasons, including political ones," the report states.
So far, Anonymous鈥 actions appear to be merely political and not for financial gain, although Anonymous鈥 end-motives are unknown.
The weakness in DDoS
DDoS attacks were first seen in 1998, according to the report, when artist Ricardo Dominguez built FloodNet, a tool designed to allow activists to crash the websites of the Frankfurt Stock Exchange, the Pentagon, and Mexican President Ernesto Zedillo. In 2000, then-15-year-old Michael Calce used DDoS to take down the websites of Yahoo, Buy.com, eBay, CNN, Amazon.com, ZDNet.com, E*Trade, and Excite.
More recently, the organization 鈥淗elp Israel Win鈥 invited individuals to install 鈥淧atriot DDoS鈥 on their PCs to attack a presumably Palestinian target.
During the Iranian Green Movement protests of 2010, protesters used DDoS attacks against President Mahmoud Ahmadinejad's website. The Berkman Center鈥檚 report also noted frequent attacks between certain countries, including Israel/Palestinian territories, Russia/Georgia, and China/USA.
The 鈥淥peration Payback鈥 attacks require participants to download software named 鈥淟ow Orbit Ion Cannon鈥 (LOIC), which allows a computer to become part of a botnet controlled by administrators of the Anonymous group. These so-called voluntary botnet attacks are "powerful because they involve large numbers of compromised computers, each of which might be a legitimate user trying to reach a website.鈥
DDoS attacks using a voluntary botnet do have their weaknesses, the Berkman Center鈥檚 report notes. Among them is the willingness of a large number of people to participate. 鈥淥ne downside of this sort of attack for the attacker, however, is that a volunteer attack can be difficult to maintain, since it requires maintaining the interest and participation of the volunteers. It also suggests that attacks using this technique will be most likely to affect targets that can harness the ire of a large group,鈥 the report states.
It remains to be seen what kind of interest Anonymous participants have in targeting Bank of America.
The Charlotte, N.C.-based bank has attracted widespread ire in the US for moving to foreclose on more than 100,000 homes this year. Bonus season, too, may set off frustration among a public that had to bail out America鈥檚 banks, including government funds for Bank of America, whose top directors might earn a $1 million bonus while top vice presidents could net $600,000, reported this week.
