FBI: DDoS Botnet Has Been Modified

New Attack Methods Attempt to 'Circumvent Mitigation'
FBI: DDoS Botnet Has Been Modified

The Federal Bureau of Investigation warns that distributed-denial-of-service attacks waged against leading U.S. banking institutions are changing as attackers perfect their techniques.

See Also: OnDemand | Defining a Detection & Response Strategy

In a flash report about Brobot, the botnet used by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters, the FBI notes that attack scripts have been modified. "The FBI Cyber Division assesses that these scripts have been modified by the actors in an attempt to increase the effectiveness with which the scripts evade detection," the report states. "Because the attacks have been ongoing for seven months, the actors are changing their attack methodology to circumvent mitigation efforts of the financial institutions."

The FBI points out that as of April 10, 46 U.S. banking institutions have been targeted by more than 200 separate DDoS attacks of "various degrees of impact" since Izz ad-Din al-Qassam Cyber Fighters announced its first phase of attacks in September 2012. "These attacks have utilized high bandwidth webservers with vulnerable content management systems," the report states.

As the hacktivists' third phase of attacks on U.S. banking institutions enters its ninth week, experts say it's clear the attacks are expanding to include more organizations (see DDoS Attacks on Banks: No Break In Sight).

Last week, brokerage firm and investment bank Charles Schwab Corp. confirmed it was targeted by DDoS attacks that disrupted online service April 23 and 24. The attacks came just three weeks after similar strikes were waged against American Express, marking the first time a U.S. card brand had been targeted by Izz ad-Din al-Qassam Cyber Fighters.

The hacktivist group took credit for the AmEx attack, according to updates posted to a blog as well as Twitter on March 28. In an April 30 Pastebin update, Izz ad-Din al-Qassam Cyber Fighters took credit for the attacks waged against Charles Schwab. The group also claims attacks against Capital One, BB&T, Regions, Principal Financial, State Street and BancWest Corp. [d.b.a. Bank of the West and First Hawaiian Bank].

Attacks: Just Enough

Several security experts say the hacktivists so far have only used about a third of Brobot's capacity. Instead of using the botnet's full force, the attackers appear to be doing just enough to be a nuisance, says Arbor Network's Carlos Morales.

"The attacks have definitely continued to increase in sophistication over the past few months and don't show any signs of stopping," Morales says. Specifically, the attacks have become increasingly customized, he says.

"It shows that the attackers are studying the victim sites and then modifying the attack software to take advantage of nuances within the specific targets," Morales adds. "Attackers are now starting to target upstream ISPs [Internet service providers] and partner networks of the financials. They are probing to figure out the most vulnerable points and exploiting them," and Brobot continues to grow.

Security specialist Mike Smith of Akamai Technologies says Brobot's continually building strength suggests Izz ad-Din al-Qassam Cyber Fighters' strikes won't be stopping anytime soon. "With a change in attack tactics, techniques and protocols and doing more constant infecting to replenish the botnet during the course of their operational week, they don't have to take as many pauses," he says. "At the same time, their typical targets are fairly well protected, so they're branching out to new targets, adding a couple new ones per week."

A blog post from Charles Schwab President and CEO Walt Bettinger dated April 24 confirms the company is among those new attack targets, although the firm does not attribute the attack to any particular group.

"On April 23, Schwab was one of the most recent targets of a 'denial-of-service' attack perpetrated by a third party," Bettinger states in the post. "As a result, access to our client websites was blocked for nearly two hours. A similar attack on April 24 intermittently slowed access to our websites."

While no unauthorized access to client accounts occurred during the attacks, Bettinger noted that more attacks are likely. "Denial-of-service attacks are, unfortunately, an increasing fact of life in an interconnected world," he said in the statement. "Based on the history of denial-of-service attacks on other companies, we anticipate these attacks may continue against our industry - and us - for some time. We will continue to work with the industry and law enforcement to ensure our websites are available without interruption."

On April 29, Charles Schwab spokeswoman Sarah Bulgatz said the attacks stopped April 24. "Earlier last week, during the outages we experienced due to the DDoS attacks, we communicated with clients via Twitter, Facebook and through the news media - encouraging them to call us as an alternate way of accessing Schwab," she said.

New Targets

Charles Schwab wasn't the only new target last week.

State Street Bank and Trust Co., a community institution in Illinois with just $162.3 million in assets, also took a hit. Although State Street Bank has not publicly confirmed the attack, two DDoS experts, who asked not to be named, said the attack patterns, though in much lower volume, also matched those aimed at Charles Schwab.

On April 23, Toronto-based domain registrar easyDNS, which provides online hosting services for State Street Bank, confirmed it had been targeted by a DDoS attack.

Dave Loftus of DDoS-mitigation provider Arbor Networks says the timing suggests a connection to Izz ad-Din al-Qassam Cyber Fighters.

Arbor confirms that Toronto-based DNS registrar easyDNS was hit by a DDoS attack on April 23, Loftus says, the same day Izz ad-Din al-Qassam Cyber Fighters announced on Pastebin it had targeted "State Street."

"While we can only speculate, public records do show that easyDNS provides services for State Street," he added. "As DNS infrastructure has previously been targeted in the U.S. financial attacks, there may be a connection between the attacks. If easyDNS took the hit for their customer, this could explain why the volume of attack traffic directly sent to State Street Bank was reduced."

Mistaken Identity?

Why would such a small institution be among the hacktivist group's targets? Experts say the hacktivists may have intended to attack $222.2 billion Boston-based State Street Corp., the United State's 13th largest bank, not the Illinois-based State Street Bank and Trust.

Marty Meyer, president of DDoS mitigation and solutions provider Corero Network Security, says the State Street Bank attack was probably more about mistaken identity than a targeted attack. "They likely have mistaken this site for the much larger State Street organization," he says. "As to why the attacks are not as forceful with them, the attackers may be smarter than we give them credit for. ... They monitor the attack impact and only apply the amount of resources required to attain the desired result. Why waste resources?"

Rodney Joffe, senior technologist for online security provider Neustar Inc., says the State Street attack does not fit Izz ad-Din al-Qassam Cyber Fighters' profile. The majority of banks targeted by the group are among the nation's top 50, he notes.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.