DDoS Attacks on Banks: No Break In Sight

Phase 3 of Hacktivist Attacks Shows No Sign of Ending
DDoS Attacks on Banks: No Break In Sight

Hacktivists' attacks on U.S. banking institutions are now in the eighth week of their third phase, making this phase, which launched March 5, the longest since Izz ad-Din al-Qassam Cyber Fighters waged its first campaign last year.

See Also: Cybercrime Ecosystem: EVERYTHING for Sale

Some experts on distributed-denial-of-service attacks now say they don't anticipate the hacktivists will take a break as they did after the two previous campaigns. The first phase of attacks lasted six weeks; the second phase ran seven.

Attacks during the third phase have strengthened and diversified, and they've proven to be effective at taking online-banking sites offline, experts say. Greg Garcia, cyber-attack adviser and spokesman for the Financial Services Information Sharing and Analysis Center, is concerned that criminal groups and others not affiliated with Izz ad-Din al-Qassam Cyber Fighters will wage malicious strikes that coincide with the hacktivists' attacks to perpetrate fraud.

"Observers should expect that some of these [attacks] are opportunistic 'copycat' attacks, and that criminals are readily sharing information with one another to compare what works and to tinker with new techniques," Garcia says. "Members of the financial sector also share information robustly in our community, and we're deploying our best tools, expertise and collaboration to anticipate incoming attacks and stop them before they occur. Some attacks succeed; many do not; and we're working every day to raise our success rate and lower theirs."

More Attacks Planned

On April 23, Izz ad-Din al-Qassam Cyber Fighters, which claims it's attacking U.S. banking institutions in protest of a YouTube movie trailer deemed offensive to Muslims, said on the open forum Pastebin that more attacks are planned.

"We have already stated that removal of the offensive video ... from YouTube is the simplest solution to stop the cyber-attacks," the group stated in the post. "The United States must still pay because of the insult."

In its post, the hacktivist group took credit for targeting eight financial-services firms - Regions Bank, M&T Bancorp, Union Bank, Principal Financial Group, Ameriprise Financial, State Street Corp., RBS Citizens Financial Group Inc. [dba Citizens Bank] and Wells Fargo & Co. - as well as others in the last week.

"We're seeing that the [hacktivist] attacks are being directed against some FIs [financial institutions] that are smaller than the FIs targeted in the first two phases, including insurance and investment companies," Garcia says.

Variations in the attacks and the targets also were noted during phase 2 of the hacktivist campaign, which ended in late January, says Rodney Joffe, a senior technologist for online security provider Neustar Inc.

In the first phase, which ran from mid-September to mid-October, only top-tier institutions, such as JPMorgan Chase & Co. and Bank of America, were targeted. During the second phase, the attacks started hitting mid-tier banks and some credit unions, which led some experts to suspect the hacktivists' botnet, known as Brobot, may have been leased by other groups.

That suspicion was further fueled in March, when Brobot was identified in DDoS attacks aimed at online-gaming sites.

"If the group executing the attacks is truly for hire, I would not be surprised if the 'normal' financial criminals have reached out and are offering some additional revenue incentives [to see] if they can piggy-back on the attacks as a cover for activities they're more interested in," such as the theft of data or intellectual property and financial fraud, Joffe says.

Fraud Concerns Rise

So far, the attacks linked to Brobot have not been linked to fraud, experts say. But concerns about fraud and other malicious intents are mounting.

Marty Meyer, president of DDoS-mitigation provider Corero Network Security, says these attacks, inevitably, will be waged for nefarious purposes. "Sooner or later, the attackers will step up the malicious intent of these attacks to insert exploits or attempt illegal fund transfers," he says. "I cannot imagine that their only intent is to be annoying."

The effectiveness of the attacks has proven Izz ad-Din al-Qassam Cyber Fighters is an organized group out to cause the financial industry as much pain as it can, Meyer adds.

"The attackers have improved their delivery method for these attacks, such that the botnets utilized are more difficult to shun using classic black-hole routing methods," he says. "They are likely incorporating application layer DDoS attack vectors, which are also difficult for cloud- or ISP- [Internet service provider] based services to mitigate. Until banks employ hybrid cloud plus on-premises, DDoS-mitigation technology, the attackers will continue to take advantage of this security vulnerability. DDoS needs to be considered a very real threat, and treated as such, as part of a holistic risk management strategy."

Breaking the Pattern

Al Pascual, a senior security, risk and financial fraud analyst at consultancy Javelin Strategy & Research, says banking institutions have to accept that the attackers waging these DDoS strikes no longer need time to regroup to strengthen their botnet and techniques.

"While I'm sure the financial industry was hoping that the problem would simply disappear, I'd be surprised if anyone could give me a solid reason as to why Izz ad-Din al-Qassam would just stop," he says.

Brobot also has grown; its now three times the size it was at the end of January, when phase 2 ended, says Mike Smith, a security evangelist at online-security provider Akamai Technologies. The botnet's size has allowed the group to launch multiple attacks against multiple institutions simultaneously, as on March 12, when six banks were hit in one day.

"The attacks are disruptive and a bit embarrassing, and that's not lost on those responsible," Pascual says. "They are successful - so much so that they continue to attempt to exploit new servers to bolster Brobot. And it would seem that, worse yet, others may now be imitating them outside the U.S."

About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network