During the last third of 2012, 10 major U.S. banks were the targets of powerful distributed-denial-of-service attacks apparently launched by a foreign hacktivist group. Some observers predict there will be many more DDoS attacks against financial institutions in 2013. They say hacktivists, organized crime rings and even nation states will be the perpetrators, working collaboratively in some cases and independently in others (see High Risk: What Alert Means to Banks).
Financial fraud expert Avivah Litan, an analyst at Gartner Research, says the attacks will continue because they work, especially for criminals.
"There is no reason for the criminals to stop," Litan says. "They are getting away with them and not getting caught. These gangs will just keep escalating the attacks, up the ante and raise the stakes on the banks. The banks will have to find and implement solutions quickly. There really is no other choice."
DDoS attacks often will be used to disguise nefarious schemes aimed at stealing intellectual property and taking over accounts, especially when the attacks are waged against smaller institutions, regulators and security experts warn.
DDoS expert John Walker, who also serves as the chairman of ISACA's Security Advisory Group in London, says banks won't be able to fend off all of the attacks that are coming in the new year. "What we are seeing this year is just a tip in the ocean of what is planned for 2013," he says.
To prepare for continuing DDoS attacks, banking institutions should implement incident response strategies and involve staff across multiple lines of business, as well as external partners, regulators and experts say. Banks also should consider due diligence reviews of service providers, including Internet service providers and Web-hosting companies, to ensure they, too, have taken necessary steps to identify and mitigate risks associated with DDoS attacks.
PNC, Others Take Hits
Since September, the hacktivist group Iz ad-Din al-Qassam Cyber Fighters has grabbed headlines for two DDoS campaigns against banks. But so far, there's been no evidence of fraud linked to these attacks.
The hacktivist group announced Dec. 25 that yet another wave of attacks was coming as part of its second campaign (see 5 Banks Targeted for New DDoS Attacks.)
In the latest development, PNC Financial Services, whose customers have suffered sporadic online access issues related to high volumes of traffic during both of the DDoS campaigns, reported it experienced minor site access issues late Dec. 27. But it did not link those issues to traffic connected with a DDoS attack.
PNC spokeswoman Amy Vargo says some customers reported having trouble when trying to access the bank's site during the afternoon of Dec. 27, but "this was a very short term and intermittent issue, and the systems were quickly restored to normal."
In a Dec. 10 post on Pastebin, Iz ad-Din al-Qassam Cyber Fighters announced plans for its second campaign, targeting PNC, U.S. Bancorp, Bank of America, JPMorgan Chase and SunTrust Banks. Since then, the group has posted two subsequent threats and has apparently hit all five targeted institutions as well as Wells Fargo and Citibank, part of Citigroup (see DDoS: Citi Takes Post-Holiday Hit).
The hacktivist group says its waging the attacks in protest of a YouTube video deemed offensive to Muslims.
The first campaign of attacks, which ran from mid-September to mid-October, targeted all of the institutions hit in the second campaign, as well as Regions Bank, HSBC Holdings and Capital One.
Warning to Banks
Some security experts, however, are questioning whether Pastebin posts being attributed to Izz ad-Din al-Qassam Cyber Fighters actually came from that group. Anyone could take credit for the posts and the attacks, says Mike Rothman of Securosis, an independent security research and advisory firm.
"We'll likely see lots of folks claiming responsibility for attacks and many doing it to draw attention to their causes," Rothman says. "Is it really one group or another? Hard to truly tell, and ultimately I don't think it matters. The attacks will keep happening, sometimes for no apparent reason. Organizations need to be ready, and that doesn't change, regardless of the adversary."
Smaller banking institutions not targeted by Izz ad-Din al-Qassam Cyber Fighters should guard against a false sense of security, says Bill Nelson, president and CEO of the FS-ISAC.
"We saw a year ago that smaller banks and regional banks were being hit [by other DDoS attackers] and many were at a loss about why," Nelson says. Eventually, investigators confirmed attempts to commit fraud in the background of those attacks.
On Dec. 21, the Office of the Comptroller of the Currency issued an alert about the recent wave of DDoS attacks, noting that financial institutions had linked DDoS to fraud and the theft of proprietary information (see Regulator Warns of DDoS, Fraud Link).
"These attacks by hacktivists are trying to strike terror," Nelson says. "But cybercriminal groups have been attacking, too, off on their own launching cyberfraud. Rather than striking terror, they're trying to make it more difficult to detect their fraud, and that's the worry here."
Securosis' Rothman says the recent waves of hacktivist attacks have drawn attention to the severity of the DDoS threat.
"We have discovered a clear knowledge gap around the denial-of-service attacks in use today and the defenses needed to maintain availability," Rothman writes in a November paper about DDoS prevention. "There is an all-too-common belief that the defenses that protect against run-of-the-mill network and application attacks will stand up to a DDoS. That's just not the case."
Rothman says banking institutions of all sizes must start viewing DDoS attacks as instruments for multifaceted attacks.
"It's not news that some of the attackers have been using DDoS attacks to obscure ex-filtration activity," Rothman says. "They basically work to divert the attention of the security folks with the DDoS while they steal data via other mechanisms."
Rothman says prevention steps recommended by the OCC just reiterate the obvious. "Financial institutions need to have risk management programs, and that would include tactics to mitigate against DDoS attacks as well as leveraging information-sharing networks to keep the flow of information going. If something bad happens, they need to report it and probably disclose it to customers."