DDoS (Distributed Denial of Service) may be getting all the recent press, but now the FBI, Homeland Security and several more federal agencies have issued a no-nonsense warning about a spike in the number of TDoS (telephony denial of service) attacks which wipe out a victim’s telephone service.
The focus of the warning was a jump in TDoS against public sector emergency services agencies (police, ambulance, etc.) The warning noted: “The perpetrators of the attack have launched high volume of calls against the target network, tying up the system from receiving legitimate calls. ... Many similar attacks have occurred targeting various businesses and public entities, including the financial sector” (emphasis added).
The scariest part: security researchers talk about TDoS kits that can be rented for as little as $20 per hour. And that service will generate ample junk calls to put your credit union’s telephone system down for the count.
Although the federal alert focused on TDoS aimed at public safety agencies, security experts insisted to Credit Union Times that many financial institutions – including credit unions – have been victims.
The way that works is that just when a credit union decides to pick up the phone to verify a large wire transfer to, say, a Kiev account, TDoS knocks out the phone systems, so no outgoing calls. And the bad wire transfer may be put through.
TDoS also is commonly linked with ransom demands, noted the federal law enforcement agencies, The promise is that the TDoS will cease upon payment of a fee, often in a four-figure range, said experts.
The feds are adamant: Do not pay the blackmail.
For good reason. Paying it probably only sets the stage for another attack a few days later and a new demand for money.
But exactly what credit unions and other TDoS targets should do to protect themselves is frankly up in the air. “Right now, it is very difficult to defend against TDoS,” said Richard Henderson, a security strategist with Fortinet.
Here’s the problem: not only is TDoS cheap to unleash, the technology allows for instant spoofing of phone numbers and geographic misdirections. The calls may look as though they originate in Long Island, but they may in fact start out in Moscow – there just is no easy way for most organizations to know, said malware researcher Cameron Camp.
That ability to disguise the calls is what is maddening about TDoS and it also is at the heart of why most security experts believe very few credit unions have significant internal TDoS mitigation knowhow.
The current, best advice for coping with TDoS is to begin talking with internal and external telephone experts about how to respond.
A suggestion from Kraus is that just as many credit unions have disaster recovery and business continuity plans that call for a third party to pick up answering incoming calls in the event of an outage, that same firm could be called upon to handle calls in the event of a TDoS wipe out.
There may be other options. The bigger point: start planning now for a TDoS attack because one just may be coming at you.