DDoS: What to Expect From Next AttacksPhase 3 Incidents Offer Likely Glimpse into Future
U.S. banking institutions are now in the fifth week of distributed-denial-of-service attacks waged against them as part of Izz ad-Din al-Qassam's third phase. What lessons has the industry learned, and what actions do security and DDoS experts anticipate next from the hacktivists?
The U.S. financial services industry so far has withstood three phases of attacks spread over seven months. These persistent assaults have taught banking/security leaders a great deal about online vulnerabilities, and observers say they have responded with some strong defenses.
Yet, three key takeaways emerge from phase 3, which launched March 5:
- The attacks on banks have been more powerful and targeted than they were during the first two campaigns;
- Banking institutions' DDoS defenses and responses are much improved;
- If patterns repeat, then phase 3 will end soon, and the industry can expect a new, even more powerful wave of attacks to begin - potentially striking new industries and serving as a precursor to account takeover and fraud.
"There is little reason for the attacks to cease," says Al Pascual, a financial analyst for consultancy Javelin Strategy & Research. And if DDoS does persist, then organizations need to ensure steady communication with customers, or else risk a dangerous erosion of consumer confidence.
"Should U.S. banks suffer from attacks similar to what we recently saw in South Korea, failing to communicate properly with consumers would be dangerous," Pascual says. "Bank customers will question the integrity of their institution in the unprecedented and unexplained situation of being unable to access their accounts online, at ATMs and in branches."
Attacks So Far
Although many institutions now decline to publicly acknowledge when they have been struck, Izz ad-Din al-Qassam Cyber Fighters has named these organizations as phase 3 DDoS targets: American Express, Ameriprise Financial, BB&T, Bank of America, Capital One, Citibank, Comerica Bank, Fifth Third Bancorp, JPMorgan Chase & Co., KeyBank, Patelco Credit Union, People's United Bank, PNC Financial Services Group, RBS Citizens Financial Group Inc. [dba Citizens Bank] SunTrust Banks, TD Bank, Union Bank, University Federal Credit Union, U.S. Bancorp, Wells Fargo & Co. and Zions Bancorp.
In their most recent attack update, posted April 2 Pastebin posting, the hacktivists claim credit for strikes against American Express, Citizens Financial, Ameriprise Financial, KeyCorp [d.b.a. KeyBank], BB&T and Bank of America.
Izz ad-Din al-Qassam claims it's waging its attacks against U.S. banks because of outrage over a movie trailer available on YouTube deemed offensive to Muslims.
More Powerful, Diverse
The attacks have evolved since the DDoS assault began with phase 1 in mid-September.
During the first phase, top-tier banks such as Chase and Bank of America were the sole targets. During phase 2, the attacks started hitting mid-tier banks and some credit unions. Phase 3 attacks have been across the board, and the targets have spread beyond banking. DDoS experts say recent attacks waged against two sites for online role-playing gamers fall into the hacktivists' modus operandi.
Additionally, Brobot - the botnet used in the attacks - has grown to three times the size it was at the end of January, when phase 2 ended, says Mike Smith, a security evangelist at online-security provider Akamai Technologies. The botnet's size has allowed the group to launch multiple attacks against multiple institutions simultaneously, as witnessed March 12, when six banks were hit in one day.
But Smith is quick to point out that the hacktivists aren't perfect. "I would not say these attacks are sophisticated," he says. "They are just as good as they need to be, to be effective. That's all."
If there is a positive side of the phase 3 attacks, it is that banking institutions' DDoS defenses are stronger than they have ever been, says Dan Holden of DDoS-mitigation provider Arbor Networks.
"DDoS defenses are better in April 2013 than they were in September 2012," he says. "Now the financial system is better defended than it was five or six months ago."
Because institutions are applying new resources and technical solutions - as well as sharing tactical advice with peers through networks such as the Financial Services Information Sharing and Analysis Center - online outages have in some cases been shorter or even avoided altogether.
But Holden says, in an odd way, that improved DDoS defense may be one of the attackers' objectives.
"They want the banks to spend more on defenses," Holden says. "If they are trying to unleash some sort of punishment, as they have claimed, then they want these attacks to cost the banks."
Phase 3 to End Soon?
If history repeats itself, phase 3 attacks will end within the next two weeks. The first phase of attacks lasted six weeks; the second phase ran seven. And because this hacktivist group appears to be very organized and strategic, Holden says it needs the breaks to regroup.
"They've already taken a break twice, so why would they not take a break this time?" Holden asks.Akamai's Smith points out that, after the last break, the hacktivists returned with a botnet that was bigger, and with new targets for attacks.
"The targets have expanded, and the focus on the Web application side, which we've seen in this campaign, is one that requires planning," Smith says. "The break would allow them to re-arm, review what worked and what hasn't, and then address those issues in the next wave."
Is Fraud Inevitable?
Financial fraud expert Avivah Litan, analyst for consultancy Gartner, says banking institutions should brace for more powerful and longer-lasting attacks in the next phase.
"They [the hacktivists] definitely have the upper hand. This is not going to go away," Litan says. "They've got a successful tool that has more power and is more sophisticated than it was when this thing started; and the banks and the government are taking the threat seriously."
Banking institutions are standing by with defensive teams 24/7, in cubbies and corners that resemble war rooms more than IT departments, Litan explains. She believes the preparation is because fraud linked to DDoS attacks is likely on its way.
"Eventually [attackers] will start targeting individuals through massive account takeovers," Litan says. "I think it's just part of the natural evolution of these types of attacks."
During the third phase, the attacks have been more dynamic and have targeted Web applications. Litan says those application attacks reflect a shift in the hacktivists' focus.
"When these attacks started, they were hitting the perimeter," she says. "Now they're hitting the backend, which is how they can get into accounts. And why wouldn't they?"
Although Akamai's Smith does not believe fraud is inevitable, he does agree that organizations must view these attacks with the criminal perspective in mind.
"Criminals, they don't always follow the rules," Smith says. Banking institutions don't ever want to get overly confident in their defenses or their expectations for future attacks, he says.