After the Jan. 20 raid on Megaupload, a law enforcement sting that drew the immediate anger of Anonymous hackers, an unnamed attacker took a distributed denial-of-service (DDoS) attack tool called Slowloris, popular with Anonymous supporters, and rigged it to include the Zeus Trojan, a devious piece of malware used to siphon victims' online banking credentials.
That same day, an Anonymous-backed list of several different DDoS attack tools hit the Web. Backed by numerous Anonymous-affiliated blog postings and tweets, supporters were urged to download one of the tools, which would enable them to launch DDoS attacks from their own computers against big-name Anonymous targets, including the U.S. Department of Justice, the FBI, Universal Music Group and the Recording Industry Association of America.
The trojanized Slowloris link was on the list, meaning countless people who thought they were supporting Anonymous' Operation Megaupload mission — targets also included Warner Music Group, the New Zealand police and the Motion Picture Association of America — were actually compromising their own financial security, the security firm Symantec reported.
The DDoS guide, Symantec said, was called "Tools of the DDoS trade" and "Idiot's Guide to Be Anonymous."
In the following weeks, the compromised DDoS tool was used in attacks on several United States government websites to protest the government's support of the Anti-Counterfeiting Trade Agreement and against Syrian government websites.
And all the while, Anonymous' loyal hackers may have been transmitting their own bank account data to a remote server.
"Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets," Symantec wrote, "but may also be at risk of having their online banking and email credentials stolen."
Symantec said this explosive mixture of financial malware and worldwide hacktivism campaigns with eager (and easily deceived) participants is "a dangerous development for the online world."