In the recruitment and communications phase, the Anonymous branch created a website and used Twitter and Facebook to publicize it. YouTube videos also “rationalized the attack by denigrating the target and exposing perceived transgressions,” Imperva said. One such promotional video received over 72,000 views.
The Anonymous campaign “Operation Pharisee” specifically targeted World Youth Day, citing clergy sex abuse as a motive for protest. One of the campaign’s recruitment videos used a computer-generated voice and stock video of a man in a Guy Fawkes mask. It called Pope Benedict XVI a “Pharisee.”
“It’s outrageous seeing how many young people march like sheep to the Vatican’s orgy that will take place in Madrid,” the English-language video said.
“It’s humiliating seeing all the crowd in ecstasy, loving Benedict XVI like a god,” it continued, showing a video of cheerful Catholics at a youth event.
The video cited several Bible verses. It attacked the sacrament of confession for encouraging “dependency of souls,” saying that people should confess directly to God. The video also charged that the Catholic Church is using Jesus’ image to get rich and that it is hypocritical for the Pope to wear ornate liturgical dress while condemning vanity.
“Prepare your weapons, my dear brother, for this Aug. 17-21,” the video concluded. “We will drop the anger over the Vatican.”
Eighteen days into the attack, a group of “savvy hackers” then evaluated the security of the targeted website, the Imperva report says. They used hacking tools and anonymity services to disguise their identity. They kept a “low profile,” but still created relatively high internet traffic compared to normal days.
The hackers failed to find vulnerabilities in the website’s applications and fell back on a distributed denial-of-service attack intended to flood the target’s web server with crippling levels of traffic. This tactic used recruited individuals to run programs on their computers and mobile devices. Many of these recruits did not use anonymity services.
About 500,000 denial-of-service attacks happened on the first day of this phase, while almost 600,000 happened the following day. One PC can generate up to 200 attacks per second.
The Imperva report advised potential targets’ internet security staff to monitor social media for hints of coming attacks.
“Hacktivism is loud by definition,” the report said.
(Story continues below)
Subscribe to our daily newsletter
Rachwald said the use of social media is “the only thing that’s really unique about this attack.”
“Typically an attack is not pre-announced,” he explained.
“The big difference with hacktivism in general is they need to recruit and they need to announce ‘We’re going after target X.’”
Such hackers are typically after user data, he explained. In one instance, hackers under the banner of Anonymous stole user data from Sony and exposed information on 100,000 credit cards, causing customer outrage and a drop in stock prices. They also exposed police officer data from the San Francisco mass transit system.
“If you steal and expose data, then you can really hurt an organization,” he said. “What they’re looking for is vulnerabilities around data exposure.”
Traditional defenses such as network firewalls, anti-virus programs and intrusion protection cannot be the sole defense, he advised. A proper application security program is necessary for websites that transact user information and for e-commerce sites where goods and services are sold.