Another Version of DDoS Hits BanksAll Institutions Remain at Risk as Attackers Change
Izz ad-Din al-Qassam Cyber Fighters, the hacktivist group that waged three campaigns of distributed-denial-of-service attacks against U.S. banks, apparently hasn't launched an attack since May 2 (see Are DDoS Attacks Against Banks Over?).
See Also: Threat Horizons Report
Nevertheless, DDoS attacks are continuing. And that means financial institutions need to remain vigilant
We have to assume all attacks are being waged to either compromise data or perpetrate fraud.
Last week, DDoS attacks were waged against two mid-tier banks by bombarding them with requests for PDF document downloads, I've confirmed with more than one reliable source.
The documents, including mortgage, account or loan applications, generally aren't readily accessible from a bank's home page. Ultimately, you'd have to dig pretty deeply or be told these documents are available on the site to know where to find them. Some DDoS bots, however, do have the ability to spider websites and locate random links, like downloadable PDFs, to flood. And, sometimes, links to downloadable files are discovered by attackers via Google searches.
Still, it can be a time-consuming process, and is a reason why this type of flooding attack is often less favored over others.
No one knows why these attacks were waged, although some experts tell me there apparently were no patterns or code or botnets to connect the strikes to the al-Qassam Cyber Fighters.
But it's becoming apparent that it's not just hacktivists that are waging DDoS attacks. And it's not just top-tier banks that are at risk.
Experts and regulators have warned smaller banking institutions to have their guards up, especially for DDoS attacks that could be waged as a mode of distraction to mask account takeover attempts.
At this point, we have to assume all attacks are being waged to either compromise data or perpetrate fraud.
Under the Radar
Bill Nelson, president of the Financial Services Information Sharing and Analysis Center, says download-flooding attacks "are a very common DDoS tactic used by various types of adversaries. Nothing new there."
But Curt Wilson of DDoS-mitigation provider Arbor Networks, says download-flood attacks, which around for a long time, are not used as often as other DDoS tactics. So the download flooding attacks are around, but they are less common.
"The download flood has a larger punch, but I don't think every attacker has it on their agenda," he says.
Download flood attacks, though, are often packaged with attack toolkits that are marketed in underground forums for their so-called "anti-DDoS" capabilities, he says - meaning these toolkits can get around standard DDoS-detection and mitigation measures, Wilson says.
"Other than the usual steps of blacklisting the sources, organizations have responded in the past by reducing the content available to users who have not yet authenticated," Wilson tells me. "This is only a partial solution, of course, because the approach does not scale and does not fit every scenario."
One bank CISO tells me institutions generally can't block future attacks until they review the logs of requests associated with a successful download-flooding strike.
Some of these PDF or file requests, although overwhelming, could be legitimate. And one of the greatest worries surrounding DDoS mitigation is denying good traffic in an effort to block the bad.
Was It a Test?
The latest attacks could have been waged as a way to test their effectiveness. But no one knows for sure.
"It is definitely not the AQCF botnet," known as Brobot, says Rodney Joffe, a DDoS expert at online security firm Neustar. "The general criminal element is ... now using the very effective techniques."
No attempts at fraud have been linked to last week's two flooding attacks. So what were the attackers motivations?
We must assume the actors behind these attacks often have political and/or criminal intent.
What's critical is that banking institutions have DDoS mitigation strategies in place. As Joffe points out: "We have been warned."
But not everyone is heeding the warning.
Smaller, community institutions are a known weak point, as the Office of the Comptroller of the Currency noted in mid-June, when it spearheaded an education campaign about DDoS aimed at community banks, as well as in December, when it issued a warning that community banks should be mindful of DDoS attacks waged to mask fraud.
All banks and credit unions should assume they're going to be targeted, and that the purpose for these attacks is to compromise data and accounts. The sooner all institutions accept and embrace that message, the more secure their overall infrastructure will be.
I encourage you to comment about the best ways to mitigate DDoS attacks in the box below.