Izz ad-Din al-Qassam Cyber Fighters' fourth phase of distributed-denial-of-service attacks against U.S. banks apparently had its kickoff July 31 ( see DDoS: Attackers Announce Phase 4). But the attacks did not succeed in taking down the sites, experts say.
DDoS-mitigation sources tell BankInfoSecurity the attacks took aim at four leading U.S. institutions.
The attack code is from Brobot, the botnet developed by al-Qassam that's been striking U.S. financial institutions since September 2012, the sources say. But none of the leading banks contacted by BankInfoSecurity has confirmed seeing any attack traffic.
Sources say the attacks apparently had no impact on availability of customer-facing interfaces, such as the ability to access online banking, because banks have implemented effective mitigation strategies.
Mike Smith of the cybersecurity firm Akamai, which has been tracking and mitigating DDoS activity linked to al-Qassam, says DDoS defenses fared well throughout the morning of July 31, when the attacks began. And while the attack methods used were nothing new, some of the attack characteristics were, he says.
"They keep pounding against one target," Smith said mid-day. "They've been hitting this one bank for about an hour and 15 minutes, now," which is unusual.
But within a few hours, three more targets were hit, Smith says.
Until now, al-Qassam typically hit a particular site for between 10 and 20 minutes at a time, Smith says. If the attacks are unsuccessful at taking a site down, the group moves on to another target, he adds.
But that was not the case July 31, Smith says. "Though the attacks [against the first target] had no visible user-facing impact, they kept attacking," Smith says, targeting first the site and then its domain servers.
The attacks would have been non-events, had it not been for some of the activity leading up to them, he adds. "These attacks are not anything special," Smith says. "But the attacks that hit last week and the attacks that hit yesterday have made all of this more interesting."
DDoS: Phase 4
Attacks waged July 24 through July 27 against the online banking sites of Chase and Regions Financial Corp. puzzled DDoS mitigation providers.
Keynote, an online and mobile cloud testing and traffic monitoring provider, confirmed the online banking sites of those two banks experienced intermittent outages last week that appear to be DDoS-related.
Both institutions have previously been targeted by al-Qassam.
But detecting last week's online glitches took some digging, says Aaron Rudger, Keynote's web performance marketing manager. The online traffic patterns were different from what Keynote has recorded in the past, he says.
"Normally with DDoS attacks, we see a ramping decline in a site's performance as the load against it builds," Rudger says. "Eventually, the site falls over when overwhelmed."
In last week's attacks, that pattern was not present, he says. "It seems they were hit very hard, very fast - so fast, our agents did not observe the typical 'ramping' effect," he says.
Security vendors say they remain uncertain about exactly who was behind those attacks.
While some attack evidence suggested a link to Brobot, none of those vendors could definitely say Brobot was to blame.
New Wave of Attacks
al-Qassam had been quiet since the first week of May, when it announced it was halting its DDoS strikes in honor of Anonymous' Operation USA, bringing an end to its third phase of attacks, which began March 5 (see New Wave of DDoS Attacks Launched).
But on July 23, al-Qassam announced plans for a new wave of attacks, a.k.a, phase four. "Planning the new phase will be a bit different and you'll feel this in the coming days," the group states. "The break's over and it's now time to pay off. After a chance given to banks to rest awhile, now the Cyber Fighters of Izz ad-Din al-Qassam will once again take hold of their destiny."
The group has repeatedly stated it's waging its attacks against U.S. banking institutions in protest of a Youtube movie trailer deemed offensive to Muslims.
During the afternoon hours of July 30, Brobot was used to attack merchant sites, seemingly as a coding test for the attacks that kicked off July 31, Smith says. The only commonality among the July 30 targets: They all have the word "Da Vinci" in their website URLs, Smith and others confirmed.
"There was no connection to banking at all," Smith says.