Webster Bank and Zions Bancorp. are among the latest U.S. banks to suffer online outages linked to distributed-denial- of-service attacks.
Webster, a $20 billion institution based in Connecticut, says a DDoS attack hit its website at about 4:30 p.m. Nov. 6 and continued until about 2 a.m. Nov. 7. And Zions, a $53 billion bank based in Utah, says an attack caused four hours of intermittent outages for online-banking and website access during the late afternoon and evening of Nov. 8.
But linking those attacks to the DDoS attacks that hit 10 other U.S. banks during September and October could be difficult, says DDoS John Walker, who also serves as the chairman of ISACA's Security Advisory Group in London.
"It could just be somebody that was having a go at the banks, or it could be the same group of hacktivists," Walker says. "It's hard to say."
Neither Webster nor Zions could confirm whether the hits were linked to previous attacks launched by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters. But Zions spokesman Rob Brough says no public threats of attack had been made against the bank.
"There's no way for us to know if the attack against us was just the next one [in the series] or if it was just a coincidence," Brough said. "What I can tell you is that we were well-prepared because of the other incidents. When we recognized that it was a DDoS attack, we had plans in place."
As a result, Brough says, Zions was able to contain most of the outages users experienced to a two-hour window.
Webster spokeswoman Sarah Barr says the attack is still being investigated, but no additional DDoS activity has been identified since Nov. 7.
Link to Izz ad-Din al-Qassam?
Walker, who's spent the last three months monitoring global Internet traffic as part of a research project he's conducting for England's Nottingham Trent University, says the attacks against both banks coincide with traffic surges he tracked between Nov. 6 and Nov. 8.
"In the days following the storm [Superstorm Sandy], I saw Internet traffic increases hitting the East Coast," Walker says. "The patterns suggested DDoS attacks, which leads me to believe some hacktivist group was behind it. They could have been making a point to strike right after the hurricane, which would make sense. But I can't say with certainty what group was behind it."
All previous attacks claimed by Izz ad-Din al-Qassam were threatened in public forums before they were waged. But Izz ad-Din al-Qassam has not announced plans for any attacks in recent weeks.
In an Oct. 23 Pastebin post, the group announced it would stop its attacks in honor of a three-day Muslim holiday. It later granted two media interviews, one on Oct. 31 with ABC News and the other on Nov. 7 with technology news site Softpedia.
Because no threats were made against Webster and Zions, the banks did not connect their online outages to Izz ad-Din al-Qassam. But the banks say they took steps to inform customers about the outages they suffered and ensure customer and financial data were secure.
"We reached out to our customers and continued to serve their needs via our customer care center, Facebook and Twitter," says Webster Bank spokeswoman Sarah Barr. "Social media has taken on a whole new sense of urgency, and we used it as a way to connect."
At Zions, a temporary banner was posted on the bank's homepage, informing customers of the temporary disruption, Brough says. "We also had an automatic message in place at our call center, for the customers who called in," he says. "We definitely kept our customers informed of the issues."