The hacktivist group Izz ad-Din al-Qassam Cyber Fighters, in a Feb 12 posting, warns that its distributed-denial-of-service attacks against U.S. banks and credit unions could resume soon. The group had announced on Jan. 29 a suspension of its attacks.
Security experts warned, even before the latest posting, that more DDoS attacks against banking institutions were likely, saying the hacktivist group's reasons for suspending the attacks seemed suspicious. Evidence also suggests the botnet used in the attacks continues to grow.
Rodney Joffe, a senior technologist for online security provider Neustar Inc., says the botnet has likely already been used against other industries in other global markets. And other security experts agree the attacks eventually could be used to conceal fraud.
As a result, banking institutions, as well as other organizations with a significant online presence, need to stay vigilant and committed to DDoS prevention.
The Office of the Comptroller of the Currency late in 2012 recommended that banks:
- Prepare for DDoS attacks by having sufficient staffing in place;
- File suspicious activity reports if DDoS attacks affect critical information, including customer account details, or if damage occurs to critical banking systems;
- Conform to the Federal Financial Institutions Examination Council's updated authentication guidance and implement layers of security;
- Provide accurate and timely communication to customers or members regarding website problems, risks and precautions.
On Jan. 29, Izz ad-Din al-Qassam CyberFighters announced plans to suspend its attacks against U.S. banks, citing as the reason the removal of YouTube's most popular link to a video deemed offensive to Muslims (see Hacktivists Suspend DDoS Attacks).
But in its latest Pastebin post, the hacktivist group says that unless other links to the video also are quickly removed, U.S. banking institutions are at risk of a resumption of attacks.
"We warn again that, remove the film copies till there is time and do not harden the situation for yourself and banks' online users," the group's post states.
New Attacks Anticipated
Many in the industry expected the suspension of attacks to be short-lived.
"Now is not a time for anyone to let their guard down simply because [hacktivists] said they've 'called off' the attacks," says a security officer at a midwestern community institution, who asked to remain anonymous. "In my mind, it just tells me they're planning something even bigger and more damaging."
Financial fraud consultant Al Pascual, an analyst with Javelin Strategy & Research, notes: "The industry should remain guarded, but other industries should take note, as Izz ad-Din al-Qassam could potentially change their primary target after sharpening their teeth on the financial industry."
Joffe of Neustar says evidence suggests the botnet already has been used in attacks beyond those striking U.S. banking institutions.
"The attacks against the banks started on Sept. 18," Joffe says. "However, we already saw the same malware being spread through an attack on Aug. 19. It's almost like an attack that's looking for a purpose. The video seems to have provided that purpose."
Joffe claims the same botnet used in recent DDoS campaigns against the U.S. financial sector was used in earlier attacks waged against different industries in different countries, although he declined to elaborate on the details.
The hacktivists' two attack campaigns against banks "all could just be a way of demonstrating the size and the capability of the botnet," he adds.
The sporadic nature of the attacks suggests criminal organizations are behind them, or that the hacktivists are more interested in leasing their botnet for profit than they are in making a political statement, he contends.
"It is quite possible that the controllers of the botnet are in business, and not notionally connected with the ultimate attackers, and are being paid by someone with a political motive," Joffe says.
The potential political as well as criminal nature of the attacks should be concerning to those in other sectors - including government, manufacturing and healthcare - as well as banking institutions, Joffe says.
Some experts have speculated that the Jan. 31 online outages suffered by e-commerce retailer Amazon.com were caused by the same hacktivist group, or some other entity using the same botnet - or one very similar to it.
"Amazon is a significant Internet presence, so to have them offline does take a fairly substantial capability - and that is what we've seen with these attacks against the financial services industry," says Bill Stewart, a cybersecurity specialist at consulting firm Booz Allen Hamilton.
And it is the "substantial capacity" of Izz ad-Din al-Qassam Cyber Fighters' attacks that has raised more questions than answers.
What It Means for Banks
Joffe points out that, so far, no fraud has been linked to the DDoS attacks waged against U.S. banking institutions. But the concern for fraud is real, he says.
For example, a criminal group could copycat Izz ad-Din al-Qassam Cyber Fighters' tactics, Joffe says, making the attack look similar but using it to perpetrate fraud.
"Many folks in the criminal underground just make use of something that is already working," he says. "It's very difficult in the regular world to be able to tie attacks together, even though the attacks could look similar."
Signs of Broadening Attacks
Attacks against U.S. banking institutions started in mid-September, when Izz ad-Din al-Qassam Cyber Fighters announced the launch of its first DDoS campaign. Bank of America, BB&T Corp., Capital One, HSBC, JPMorgan Chase & Co., PNC Financial Services Group, Regions Financial Corp., SunTrust Banks, U.S. Bancorp, and Wells Fargo were all targeted during the first campaign, with each target being named in posts on Pastebin before the attacks hit.
During the second campaign, no advance warning was given. In addition to the institutions targeted during the first campaign, Ally Bank, Spanish banking group BBVA, Citibank, RBS Citizens Financial Group Inc. [dba Citizens Bank], Comerica Bank, Fifth Third Bank, First Citizens Bank, Harris Bank, Huntington Bank, Key Bank, M&T Bancorp, Patelco Credit Union, People's United Bank, Synovus Financial Corp., UMB Bank, Upqua Bank, Union Bank, University Federal Credit Union and Zions Bancorp were all claimed by hacktivists to have been targeted.
The expansion of the attacks, which during the week of Jan. 22 took aim at smaller institutions, also raised eyebrows (see Banks Skeptical About DDoS Cease-Fire).
One banking executive, who also asked not to be named, told BankInfoSecurity the attacks proved the group was casting a wider DDoS net, and smaller institutions needed to enhance their defenses.
"The fact that they went downstream to target some of these smaller institutions is what stands out," the executive said. "All of the banks that I talked to said the same thing. These hits were big enough to be an annoyance, but small enough to be manageable."