UK parenting website Mumsnet has been hit by a new breed of cyber attack that combined several cyber elements with a physical one, highlighting the value of two-factor authentication.
The website was hit by a distributed denial of service (DDoS) attack, its admin hacked and data stolen, and then a hoax call sent armed police to the home of Mumsnet co-founder Justine Roberts.
Another team member was similarly targeted by a “swatting attack” – a type of harassment in which perpetrators cause armed police to be sent to the homes of victims, reports the BBC.
In Roberts’ case, the swatting attack was triggered last week while she was away on holiday by a call claiming that a woman had been murdered and that a family was being held by a gunman, according to a police spokesman.
Such attacks are more common in the US, where cyber criminals have used them against security researchers such as Brian Krebs who have exposed their identities and how they work.
According to a post on the Mumsnet website, the series of attacks started on 11 August with a DDoS attack that made it difficult for users to access the site.
During the attack, Mumsnet received about 17,000 requests per second, compared with its normal hit rate of 50 to 100 requests per second.
Access to the site was restored by the following morning, but a group calling itself DadSecurity claimed responsibility on Twitter for the denial-of-service and threatened further attacks.
Mumsnet was also targeted by a redirection attack in which visitors to the site were redirected to the @DadSecurity Twitter account, posts on Mumsnet were edited without their authors’ permission, and messages were posted that were not written by owners of the accounts they were posted under.
Mumsnet believes about 11 accounts were compromised, and although passwords for the site are encrypted, it has reset all user credentials as a precaution.
The series of attacks had prompted speculation suggesting several theories on how they were accomplished.
One theory is that attackers used a cross site scripting (XSS) attack to redirect the login process to computers controlled by the attacker to harvest passwords as they were entered.
Another theory is that visitors to Mumsnet were redirected to a replica of the site that was under the control of the attackers and used to harvest user credentials.
Yet another theory is that the attackers gained access to Mumsnet staff accounts either because weak, easy-to-guess or easy-to-crack passwords were in use, or because they were the victims of a phishing attack.
All these theories underline the importance and value of using two-factor authentication (2FA) to access online accounts, according to independent security consultant Graham Cluley.
2FA for all remote access services is key to defending against industrial and government cyber espionage groups, according to a Dell SecureWorks report unveiled at the BlackHat USA 2015 security conference in Las Vegas.
By requiring users of online services, or at least administrators and staff, to provide a second factor for authentication, such as the one-time pass codes used by online banking services, means that even if usernames and passwords are compromised, attackers will not be able to access accounts.
Mumsnet has been praised for alerting members to the breach and for using encryption for user passwords, but like all online businesses, Mumsnet should consider introducing 2FA for staff at least.
The attack also underlines the importance of having DDoS mitigation capabilities in place, especially in light of the fact that the number of DDoS attacks in the second quarter of 2015 was double that in the same quarter in 2014, according to the latest state of internet security report by Akamai.
“Targeted attacks are a rapidly growing threat, but the latest DDoS assault against Mumsnet is unlikely to be the last or the biggest,” said Kane Hardy, vice-president for Europe at Hexis Cyber Solutions.
“Any company that possess personal or financial information is a high-value target and a determined attacker – whether motivated by profit or ideology – will be able to breach perimeter defences,” he said.
According to Hardy, it is important that organisations are able to minimise the amount of time between detection and removal to limit the damage that a breach can do.
“Organisations from across all industries should take a page from Mumsnet’s book: recognising that an attack has been successful and publicly disclosing the (known) details of the incident is the first step in adequately handling the aftermath of a breach,” he said.
The next step, said Hardy, should include an in-depth analysis of how the attackers were able to execute the breach and collect the necessary information to make efficient decisions on preventing future similar incidences.
“By being able to understand what is happening on the endpoint and what it happening within the network, organisations can respond to potential threats at machine-speed and quickly prevent damage,” he said.