DDoS: PNC, Wells Report Traffic Surge

Latest Incidents Not as Disruptive as Phase 1 Attacks
DDoS: PNC, Wells Report Traffic Surge

Amidst Phase 2 of hacktivists' distributed-denial-of-service attacks on U.S. banks, PNC Financial Services and Wells Fargo on Dec. 20 both reported online traffic surges. But experts say these latest incidents are not resulting in online outages as widespread or lengthy as phase 1 of the attacks earlier this fall.

See Also: On Demand | Defining a Detection & Response Strategy

Either the targeted banks are getting better at defending their perimeters, some observers say, or the DDoS attacks have subsided.

"Most banks' network teams are making rapid adjustments to the configurations of their networks, so they can better withstand these attacks," says financial fraud expert Avivah Litan of Gartner. "These adjustments are definitely helping for now. The fraud teams are also tightening defenses, so more is automated and independent of staff attention, which is diverted during these attacks."

Latest Strikes

About the Dec. 20 surge, PNC spokesman Frederick Solomon said, "Heavy electronic traffic caused intermittently interrupted access to our site this morning," but the overall impact was minimal. Wells Fargo, which reported isolated accessibility issues a day earlier, also acknowledged minor disruptions but no outages (see Wells Fargo Still Dealing with DDoS).

"We're seeing an unusually high volume of traffic which is creating slow or intermittent access to our website for some online customers," said Wells Fargo spokeswoman Sara Hawkins the morning of Dec. 21. "The vast majority of customers are not impacted."

Neither bank confirmed a DDoS hit linked to threats made by the hacktivist group known as Izz ad-Din al-Qassam Cyber Fighters, which on Dec. 18 promised via Pastebin a new wave of attacks against leading U.S. banks.

A week earlier, the hacktivist group announced plans to initiate this second phase of DDoS strikes against Bank of America, JPMorgan Chase, PNC Financial Services, U.S. Bancorp and SunTrust Banks (see 5 Banks Targeted for New DDoS Attacks).

The hacktivist group claims this series of attacks is a follow-up to the first campaign it waged against those five banks, as well as Wells Fargo, Regions Bank, HSBC Holdings, BB&T Corp. and Capital One, from mid-September to mid-October.

Izz ad-Din al-Qassam Cyber Fighters says it will continue its strikes against U.S. banks until a YouTube movie trailer, deemed to be offensive to Muslims, is removed.

Decreased Impact

DDoS experts say the traffic patterns suggest most of these latest incidents are linked.

"The attacks themselves are as complex as the previous attacks, with similar bandwidth peaks and similar, but modified, attack characteristics," says Carlos Morales of DDoS prevention vendor Arbor Networks. And more banks appear to be among the targets, he says.

But the attacks are having less impact, and Morales says that's because banks have taken steps to prepare. "There seem to be more cohesive processes in place to react to attacks, more capacity available, in general, across networks - layered defenses in some places - and tighter collaboration between the financials and their MSSP [managed security service provider] providers."

DDoS expert John Walker, who also serves as the chairman of ISACA's Security Advisory Group in London, believes the decrease in outages has more to do with the attackers than the banks' defenses.

"Within the last 24 hours there has been a decline overall in global attacks," Walker says. "This could be because of the natural behavior of the attackers," taking a break for the holidays, he suggests. But it's also just as likely that the hacktivists behind these site takedowns will strike Dec. 24 and Dec. 25, when staffing within IT and fraud departments is slim.

Other Groups Involved?

Observers who have tracked the DDoS attacks say evidence suggests that Izz ad-Din al-Qassam Cyber Fighters may not be acting alone, or that other groups are pinning their efforts on the tails of these attacks.

Gartner's Litan says the industry is learning more about the groups behind DDoS strikes. And while their motives vary, their methods do not, she says.

"I've put them into three groups, based on conversations with bankers and others in the know," Litan says.

In a blog posted Dec. 18, Litan breaks down the three classes of DDoS attackers as:

  • Political hactivists with no ability to commit fraud;
  • Political hactivists with no ability to commit fraud that are coupled with counter attacks waged by different groups that commit fraud while security teams are distracted;
  • Financially-motivated gangs that strike banking institutions with DDoS attacks and fraud, using DDoS methods that resemble those of political hacktivists to fool their targets.

For Walker, the traffic patterns and the indications that other groups are involved should be alarming, and not just to U.S. banking institutions.

"What we are seeing this year is just a tip in the ocean of what is planned for 2013," he says. "Are banks getting better at defending against DDoS? Possibly, yes. But they can only hold the water back so long."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.