CapOne Site Takes DDoS Hit
SunTrust, Regions Next Expected TargetsThe hacktivist group known as Izz ad-Din al-Qassam apparently made good on its threat to take down Capital One Financial Corp.'s online presence Oct. 9. Now industry observers say they're waiting to see if the group's threats against SunTrust Banks and Regions Financial Corp. will be fulfilled later this week as the group has indicated.
See Also: Gartner Guide for Digital Forensics and Incident Response
"Capital One is experiencing intermittent access to some online systems due to a denial of service attack," company spokeswoman Pam Girardo said on the afternoon of Oct. 9. "All other channels are working properly. We are working to restore all online service as soon as possible."
CapOne spent much of the day Oct. 9 communicating about the outage with customers via online messaging and social media. The bank has instructed customers to call its support line if they experience problems accessing their online accounts, Gerardo says.
CapOne is the sixth major U.S. bank to be targeted by Izz ad-Din Al-Qassam in the last three weeks. Online-banking and corporate sites at Bank of America, Chase, Wells Fargo, PNC and U.S. Bank all took distributed denial of service hits the last two weeks of September, and the same group took credit.
If the pattern continues, and the Oct. 8 threat posted on Pastebin holds true, SunTrust and Regions can expect their sites to suffer outages over the next two days.
SunTrust spokesman Mike McCoy said Oct. 9 that SunTrust is aware of the threats and is working to limit online disruption for bank customers. "But we will decline to offer specifics," he added.
And Regions spokeswoman Evelyn Mitchell said Regions is already bracing for an Oct. 11 attack, but did not say what, if any, steps the bank was taking to inform customers. "We are aware that the group claiming responsibility for these attacks has identified Regions as one of its targets," she said. "We take online security seriously and are taking every measure to protect the company and our customers."
Evading Arrest
Avivah Litan, a fraud analyst at financial consultancy Gartner, says the lag between the first wave of attacks and the hit against CapOne likely is related to the attackers' efforts to evade arrest.
"The authorities know which endpoints were compromised, but they don't know who compromised them, exactly," Litan says. "There are strong indications that the same tools used in the January 2012 attacks against the Israeli stock exchange and El Al Airlines are the same tools used in these attacks. And those former attacks were praised by Hamas. I would not be at all surprised if all this leads to something much more ominous, e.g. the RSA Gozi concerns." (See RSA Warning, DDoS Attacks Linked?)
The group known as Izz ad-Din al-Qassam taking credit for the DDoS takedowns appears to be waging a cyberwar against top-tier institutions through hacktivism because of outrage over a YouTube movie trailer. The group claims the video casts Islam in a negative light.
The attacks have been successful because they flood banks' websites with more traffic than they can handle, says Mike Smith of Internet platform provider Akamai.
Action Recommended
In light of recent takedowns, and new cyberthreat alerts from the Financial Services Information Sharing and Analysis Center, experts suggest banking institutions:
- Enhance fraud detection and network and perimeter security;
- Review disaster recovery plans and employee training strategies; and
- Work closely with Internet service providers, vendors, service providers and law enforcement about emerging schemes and cyberthreats.
Shirley Inscoe, a fraud analyst at financial-services consultancy Aite, says institutions should be mindful of warning signs, such as dramatic increases in wire transfers, that could signal a DDoS attack.
"An increase in typical wire volumes should be interpreted as an immediate signal that the bank may be under attack, and greater analysis of outgoing wire activity should be implemented without delay," Inscoe says. "Banks and credit unions should especially be on the lookout for wires that fall outside the norm for a specific customer - dollar amount, wire destination, timing or method of wire origination - as well any wires generated on behalf of customers who typically do not send wires at all."
Most institutions also have automated wire-fraud detection systems for which transfer thresholds can be adjusted, Inscoe adds. "Those who do not have automation are going to be very vulnerable and should make plans to handle this operationally immediately," she says.
Still, Inscoe says banks and credit unions may not be able to detect or predict these DDoS attacks. But when they are forewarned, they have to take action.
"They need to devise a sound communication plan and operational strategy for dealing with this situation," Inscoe says. "They should communicate this threat to their relationship managers, who, in turn, can communicate with customers who typically send wires. Pretending it won't happen would be foolish at this point; the risk is high, so communication is essential."