Anonymous fooled bystanders into taking part in Megaupload revenge attacks

Last week’s attacks by Anonymous on music industry and government websites in revenge for shuttering file sharing site Megaupload took on a sinister turn when it came to light that the ad hoc collective had tricked bystanders into helping out.

Anonymous’ stock-in-trade is the DDoS or ‘distributed denial of service’ attack, where huge volumes of web traffic is directed to a particular website, overwhelming the servers and bringing the site down. Previously, Anonymous had relied on volunteers to use a tool called LOIC, which tapped into a network of compromised computers called a botnet to mount the attack.

This latest attack used a modified version of LOIC disguised as a website, which, as soon as it was opened, launched an attack from the misled user’s computer. Links to the website were distributed via Twitter, Facebook and Tumblr, and often looked innocent. Says Wired_:_

More from News & Analysis

What is the US HIRE Bill and why is India’s $250-billion IT sector worried? Is the internet dead? What's this theory that OpenAI's Sam Altman says might be true?

[caption id=“attachment_191373” align=“alignleft” width=“380” caption=“Anonymous may have shot themselves in the foot with this latest move. Not only is it likely to turn the tide of public opinion against them, but it may undermine the political points that they were attempting to make.AP Photo”]  [/caption]

“The trick snagged those who happened to click on a shortened link on social-media services, expecting information on the ongoing #opmegaupload retaliation for the US Justice Department’s takedown of popular file sharing site Megaupload. Instead they were greeted by a Javascript version of LOIC - already firing packets at targeted websites by the time their page was loaded.”

STORY CONTINUES BELOW THIS AD

Neither the old, downloadable version of LOIC nor this new, in-browser version hides users’ identities, and we’ve already seen LOIC users being tracked down and arrested. After last year’s revelation that LOIC didn’t protect the user, Anonymous said it was looking into new tools that would, but this in-browser version of LOIC is a big step in the opposite direction and not all anons are happy, explained Wired:

Several anons speaking to Wired on condition of anonymity voiced dismay that a tactic they consider to be the modern-day equivalent of a sit-in (denial-of-service attacks leave no lasting damage) was ethically corrupted by the new version.

“Preying on unsuspecting users is despicable,” said one anon, speaking to Wired in an online chat. “We need to fight for the user, not potentially land them in jail.”

And jail could be a possibility for anyone who had the misfortune to click on the link, says Graham Cluley from tech consultancy firm Sophos:

“I’m not sure if participants in this instance would get away with claiming that they innocently clicked on links by mistake. This change in tactic from Anonymous, which allows attacks to be launched by simply clicking on a link, means that Internet users need to be extremely careful when clicking on unknown URLs or they could unwittingly be joining this latest zombie army.”

However Jennifer Granick, a computer crime defence attorney, disagreed:

“If you are an unwitting participant then technically you’re not liable under the law because all criminal statutes, with some narrow exceptions, require some criminal state of mind, such as acting “knowingly” or “intentionally”. But even being part of a botnet could result in unwanted police attention anyway. That’s probably unlikely, depending on how many computers are involved in the DDOS attack.”

Granick was clear on the liability of those distributing the links, however:

“If you are a distributor of malware that targets a site, you can be liable for all damage that occurs to that site as a result of the malware functioning.”

This new technique for mounting DDoS attacks is disturbing, because it means that any link you see on Twitter or Facebook could potentially lead you to unknowingly take part in an attack. Kate Craig-Wood, managing director of Memset, a cloud hosting company, told the Financial Times:

“The hackers have combined technological and social engineering to further their political aims. I must admit some admiration - it is an elegantly simple method of empowering the people with the hackers’ skills, massively amplifying their capabilities.”

The technique is particularly successful on services like Twitter where links are routinely and often automatically obscured by link shortening services such as Bit.ly or Twitter’s own T.co. People are used to trusting their contacts and friends when links are sent around, simply clicking on whatever looks interesting. But when websites run scripts like LOIC without the visitor necessarily knowing, it changes the way that we need to think of even innocent-looking links sent to us by our friends.

Ultimately, though Anonymous may have shot themselves in the foot with this latest move. Not only is it likely to turn the tide of public opinion against them, but it may undermine the political points that they were attempting to make. Says Gawker’s Adrian Chen:

“It may greatly increase the effectiveness of today’s attacks, but it also renders them largely meaningless. Anonymous’ previous attacks had what political power they had because they were acts of conscious protest; participants knew what they were getting into. This recent round seems to be not much better than a Facebook worm. The safest thing now would be to avoid clicking anything to do with operation megaupload or Anonymous-especially if it’s a mysterious Pastehtml link.”

Anonymous has said that “5,635 people [were] confirmed using #LOIC to bring down sites,” but as Chen points out, there was “no word on how many of those were unwilling participants.”