DDoS: Attackers Announce Phase 4

Cyber Fighters Say New Strikes Will Be 'Different'
DDoS: Attackers Announce Phase 4

Izz ad-Din al-Qassam Cyber Fighters, the group behind three phases of distributed-denial-of-service attacks against banks since last September, now says more attacks against U.S. banks are on the way. The group made its announcement in a July 23 posting on the open forum Pastebin.

See Also: Why Choose MDR over MSSP or SIEM?

al-Qassam Cyber Fighters hasn't attacked since the first week of May, when it announced it was halting attacks for the week, in honor of Anonymous' Operation USA. But the group has remained quiet since then, apparently bringing to a close its third phase of attacks, which began March 5 (see New Wave of DDoS Attacks Launched).

Experts who've been following the group's DDoS attacks say this fourth phase was expected and likely will follow the pattern of earlier phases.

"The QCF always start out a phase of Operation Ababil with something new," says Mike Smith of online security provider Akamai Technologies. "It might be new targets, a larger botnet, new techniques, etc. This is how they try to evade the protections that the targets have deployed. They've also demonstrated a bit of showmanship in the past with announcing the attack before they resumed hostilities, and this could be another tactic to generate more press buzz."

'A Bit Different'

In its most recent post, al-Qassam Cyber Fighters says: "Planning the new phase will be a bit different and you'll feel this in the coming days."

John LaCour, CEO of cyber-intelligence firm PhishLabs, says the group's plans for different attacks are in response to banking institutions' heightened DDoS-mitigation strategies. "Major banks had improved their defenses prior to the quiet period," he says. "If new types of attacks appear, then banks will need to be prepared to respond quickly to prevent significant impact to their online services."

Based on the impact of the first three phases of DDoS attacks, LaCour notes: "Today's announcement should put financial organizations on high alert for future attacks seeking to disrupt their online operations."

In its post, al-Qassam also says, "The break's over and it's now time to pay off. After a chance given to banks to rest awhile, now the Cyber Fighters of Izz ad-Din al-Qassam will once again take hold of their destiny."

Brobot's Growth

So far, the only activity DDoS experts have noted is growth and maintenance of the botnet, known as Brobot, used in the previous three phases. No attack activity against banking institutions was apparent as of the afternoon of July 23.

Although experts did not directly link PDF download attacks waged in late June against two mid-tier banks to al-Qassam, some speculated those may have been a test for the next phase of attacks (see Another Version of DDoS Hits Banks).

LaCour told Information Security Media Group in early July that new code files linked to Brobot had been identified on compromised web servers the hacktivists had taken over. "The new code we see on these web servers is one of the strong indicators that the botnet is being rebuilt," he pointed out.

The code behind the malware had changed and included configurations not seen in the first three phases, LaCour said.

Multiple Phases

Phase three of the attacks, which ran for eight weeks, lasted longer than the earlier phases. The first campaign, which began Sept. 18, lasted six weeks. The second campaign, which kicked off Dec. 10, lasted only seven.

Experts won't speculate about how long this fourth phase might last, although al-Qassam does include a complex formula in its July 23 post to hint at how long the attacks could drag on.

But financial fraud expert Avivah Litan, an analyst with the consultancy Gartner Inc., says the timing of this latest announcement is not surprising, given that she believes there's little doubt these attacks are backed by Iran.

"They are back just as expected," Litan says. "The election in Iran has passed, the political situation there has settled down, for the time being at least, and they can now direct their resources and attention back to fighting with the U.S. banks. We predicted this, and it looks like it's happening right on schedule."

Since the beginning of its attacks against U.S. banks, al-Qassam Cyber Fighters has claimed that it's waging its attacks because of outrage over a YouTube movie trailer deemed offensive to Muslims.


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.