In late December, the Office of the Comptroller of the Currency also issued an alert about DDoS activity.
Attorney Joseph Burton, a cybercrime and information security expert and managing partner of law firm Duane Morris LLP, says banking institutions should heed these notices as warnings that DDoS strikes will continue this year.
"In the attacks we're talking about, there have definitely been account transfers," Burton says, adding that banks and credit unions have an obligation and responsibility to address these risks and ensure they have the right types of programs in place.
New DDoS Alert
The NCUA's Feb. 21 alert lists policies and procedures credit unions and other financial institutions should implement to defend themselves against DDoS attacks.
Among the NCUA's recommendations:
- Conduct ongoing assessments to identify risks associated with DDoS attacks;
- Ensure disaster recovery and incident response programs include DDoS attack scenarios that can be tested before, during, and after an attack;
- Perform ongoing due diligence on third-party service providers, especially Internet and Web-hosting providers, to ensure appropriate traffic management policies and controls are in place.
While the NCUA notes that the primary goal of DDoS attacks is to create online disruption rather than fraud, the regulator also notes that DDoS attacks often are used as tools of distraction to veil fraud taking place in the background.
"Credit unions should voluntarily file a Suspicious Activity Report if an attack impacts Internet service delivery, enables fraud, or compromises member information," the alert states. "DDoS attacks may also be paired with attempts to steal member funds or data."
The NCUA also says credit unions should brace for DDoS attacks by following the practices and controls outlined in the Federal Financial Institutions updated authentication guidance, which recommends the implementation of member and employee education programs, multifactor authentication for online transactions, and transaction monitoring and verification procedures.
DDoS: Tool of Distraction
The Office of the Comptroller of Currency issued its alert late last year to raise awareness, because some attacks had been used to distract attention from attempts by fraudsters to commit account fraud or to steal proprietary information, a spokesman said (see Attacks Put Banks on Alert).
"Because the groups conducting DDoS may shift tactics and targets during an attack, banks should incorporate information sharing with other banks and service providers into their risk mitigation strategies," OCC spokesman Bill Grassano said Dec. 21.
Burton, the attorney, says the OCC's December alert was issued in response to DDoS attacks that targeted California-based Bank of the West at the end of last year. The attacks were used as a means of distraction to take over online accounts and steal funds, he says.
Security blogger Brian Krebs reported Feb. 13 that the attack against Bank of the West resulted in more than $900,000 being drained from one account, and a Christmas Eve DDoS attack distracted bank employees from detecting the takeover.
"If you have one, two or three of those types of attacks, is that going to be enough for people to say, 'We're going to come up with some methods to deal with these attacks'?" Burton asks. "I don't know. But there are a range of things that can be done to mitigate those circumstances. I don't believe it's a sufficient answer to say this is just hacktivism. I don't think that's an adequate answer."
Izz ad-Din al-Qassam Cyber Fighters
Larger banking institutions have been battling DDoS attacks since mid-September, when the hacktivist group Izz ad-Din al-Qassam Cyber Fighters launched its first wave of attacks against leading institutions, such as Bank of America and JPMorgan Chase, in protest over a YouTube video deemed offensive to Muslims.
But in late January, the attacks shifted, and smaller institutions were named among the hacktivists' targets. Shortly after those attacks, Izz ad-din al-Qassam Cyber Fighters said it planned to temporarily halt it attacks.
But in mid-February, the group announced on the open forum Pastebin that it expected to reinitiate its attacks against U.S. banks.
Institutions Taking Threat Seriously
Mike Wyffels, who supports compliance oversight and fraud prevention for $2 billion bank holding company QCR Holdings, which owns four banking institutions in Illinois, Iowa and Wisconsin, says banking institutions are taking DDoS seriously.
"The DDoS attacks continue to be persistent and organized, which means organizations need to be vigilant and aware of what is taking place," he says. "These attacks may also be a method of deception, causing organizations to look at the obvious and miss the real threat intended. Over the past year, these attacks have nearly doubled in volume and have proven difficult, at best, to defend against. Organizations should evaluate solutions internally to mitigate risks and work with their suppliers in a partnership to accomplish the same."