Hackers hid Carphone Warehouse breach with DDoS smokescreen – report
Crims aim to cause just enough chaos to get in and out
Hackers reportedly swamped Carphone Warehouse with junk traffic as a smokescreen, before breaking into systems and stealing the personal details of 2.4m customers.
Up to 90,000 customers may also have had their encrypted credit card details accessed, the UK-based mobile phone reseller admitted at the weekend. Customers with accounts at OneStopPhoneShop.com, e2save.com and mobiles.co.uk are understood to have been potentially affected by the data breach.
An unnamed source with knowledge of the attack on Carphone Warehouse told the Daily Telegraph that its online systems were getting swamped with junk traffic in the run-up to the discovery of the breach last Wednesday (August 5).
Cyber-crooks run DDoS attacks while carrying out more significant data breaches, either to keep security response staff too busy to follow up alerts that can provide an early warning sign of intrusion, or to trick them into relaxing security controls such as firewall rules.
As noted by the Torygraph, hackers are thought to have used DDoS attacks as smokescreens to disguise more serious assaults on Sony’s PlayStation Network in 2011 and against US banks since at least 2012. How this works, and the tools deployed in the case of attacks against banks, were explained in a 2013 Reg article here.
The trick is to cause problems without rendering target networks completely inaccessible.
Dave Larson, CTO at DDoS mitigation specialist Corero Network Security, commented:
These types of frequent and sub-saturating DDoS attacks are typically intended to distract corporate security teams, but leave enough bandwidth available for a subsequent attack to infiltrate the victim’s network, much like the incident reported against Carphone Warehouse.
This technique of DDoS as a smokescreen is becoming a more commonplace threat, especially for any internet-connected business that is housing sensitive data, such as credit card details or other personally identifiable information.
Carphone Warehouse, which is in the process of contacting customers affected by the breach, was yet to comment on the circumstances that led up to last week's breach. Carphone Warehouse's flacks referred our call seeking comment to its PR agency. El Reg will update this story if we do get a response. ®