Hacktivists have formally launched their third wave of distributed-denial-of-service attacks on U.S. banking institutions.
"During running Operation Ababil Phase 3, like previous phases, a number of American banks will be hit by denial of service attacks three days a week, on Tuesday, Wednesday and Thursday during working hours," hacktivists claim in their most recent post.
And while experts have warned institutions of all asset sizes to maintain strong online guards, this newest wave of attacks is just starting to garner serious attention from community banks and credit unions. That's because smaller institutions, such as University Federal Credit Union and Patelco Credit Union, were among those hit during the hacktivists' second wave of attacks.
"The NCUA's warning has highlighted DDoS attacks as a concern worthy of consideration," says Richard Reinders, information security officer for Lake Trust Credit Union, a $1.5 billion non-profit institution based in Michigan. "It has provided needed attention to the issue, so the results from it so far are positive."
Reinders is referring to a recent alert from the National Credit Union Administration, which notes that DDoS attacks are often waged as tools of distraction to conceal fraud. "Credit unions should voluntarily file a Suspicious Activity Report if an attack impacts Internet service delivery, enables fraud, or compromises member information," the alert states. "DDoS attacks may also be paired with attempts to steal member funds or data."
Still, one Midwest community bank executive, who asked not to be named, says as recently as January, smaller institutions were getting mixed messages about their need for concern. While regulators and banking associations such as the Financial Services Information Sharing and Analysis Center had issued warnings about DDoS attacks linked to fraud, federal investigators suggested hacktivists' attacks were the primary worry, the executive says.
"We spoke with the FBI a couple weeks ago about DDoS attacks on community banks, and they basically stated that the smaller community banks have not, and most likely will not, be targeted by DDoS attacks," the executive told BankInfoSecurity in early February, shortly after Izz ad-Din al-Qassam Cyber Fighters announced plans to halt its attacks. "They didn't feel banks our size and smaller needed to spend a lot of time and resources on this issue."
That perspective, however, has evolved among some executives since late January, when the attacks shifted and mid-tier institutions were among the hacktivists' new targets.
Reinders says credit unions are heeding regulators' warnings. "Credit unions are definitely talking about it, but it seems there is some hesitancy to discuss specifically what they do at this point."
Experts say banking institutions should do more of the same to prepare for this newest wave of attacks. The lessons learned during phase one, which hit in September and October, taught the industry how to collaborate and brace. Strikes waged against them during phase two, which hit in December and January, were less tasking for that reason, says Rodney Joffe, senior technologist for online security provider Neustar Inc.
In addition to sharing information about the attacks suffered, financial institutions have been more closely collaborating with Internet service providers to scrub and block traffic. Some also have implemented measures to turn off access to certain parts of their online sites, such as search functions, when DDoS activity is detected. These precautions, and others, have helped ensure sites are not completely taken offline by an attack, experts say.
Mike Smith, a security evangelist and DDoS specialist at Web security provider Akamai, says the banking institutions and third-party providers like Akamai have improved efforts to deflect the hacktivists' botnet, known as Brobot. "At this point in the attack campaign, most larger banks and their DDoS mitigation providers are able to defend themselves successfully against Brobot, or at least minimize the effects of any outage that they might have. This means that the QCF have to adjust tactics in order to get the impact that they are after."
Hacktivists have not yet launched their proverbial big guns, Joffe suggests, and the time the hacktivists took off during the month of February was likely spent regrouping and building their botnet, which dealt a more powerful blow when it returned from its four-week hiatus on Feb. 25.
"This is the last al-qassam's ultimatum to U.S. government, and, we announce that if the insulting films are not removed in the following days the Operation Ababil will be started again next week, March 5, 2013," the group stated in a Feb. 26 post about its new attacks.
In the March 5 posting, the group vowed to fulfill its promise. It also seems hacktivists did some preparation work this time around before officially announcing their plans for more attacks.
"We started seeing activity on Friday and it continued over the weekend," Joffe told BankInfoSecurity on Feb. 25. "That indicated an attack was being prepared, and it matched the kind of activity we had seen before."
The botnet's increased activity over the weekend of Feb. 23 did give security firms some forewarning, Joffe said. But that the attacks started on a Monday and were not previously announced did give them an element of surprise, he added.
Dan Holden, director of the security engineering research team for DDoS prevention provider Arbor Networks, says the Feb. 25 attacks reveal Izz ad-Din al-Qassam's botnet has grown, and that should be a concern for institutions of all sizes. Among the latest targets: Bank of America, PNC Financial Services Group, Capital One, Zions Bank, Fifth Third, Union Bank, Comerica Bank, RBS Citizens Financial Group Inc. [dba Citizens Bank], People's United Bank, University Federal Credit Union, Patelco Credit Union and others.
In addition to the National Credit Union Administration, the Office of the Comptroller for the Currency also issued a warning about DDoS attacks, and the possibility that the attacks could be used to mask fraud taking place in the background.
Still, it wasn't until Izz ad-Din al-Qassam widened its attack net in late January that smaller institutions started to take serious notice, Reinders says. Not fully understanding what the hacktivists are after is breeding concern, he adds.
Hacktivists continue to pin the reason for their strikes on YouTube's inability or unwillingness to remove links to a movie trailer deemed offensive to Muslims. "If the offended film is eliminated from the Internet, the related attacks will also be stopped," the group says in its March 5 post.
They also explain why they stopped their attacks, albeit a brief cease fire. "While running the phase 2 of Operation, a main copy of the insulting film was removed from YouTube and that caused the phase 2 to be suspended," Izz ad-Din al-Qassam claims. "al-Qassam cyber fighters measured this act positively and a bit sign of rationalism in the U.S. government and for this reason suspended the operation for one month. That also was an opportunity for U.S. government to think more about the topic and remove other copies of the film as well."
As links to the offensive movie trailer remain active, the group says it has decided to reignite its DDoS efforts.
But Smith, like Joffe, suggests the break was taken to give the group time to build their botnet.
"When the QCF have lost enough Brobot nodes that they are no longer able to impact their targets, they are forced to go into a development phase to recruit new Brobot nodes and recon additional targets for application denial-of-service vulnerabilities that require a lower volume of attack traffic."