Hacktivist Hints at New DDoS Attacks
New Interview: 'We Have Done What We Had Promised'The hacktivists are now letting their words speak for their actions.
See Also: Gartner Market Guide for DFIR Retainer Services
For the third time in one month, a source claiming to be part of the self-proclaimed hacktivist group known as Izz ad-Din al-Qassam Cyber Fighters has granted an interview to discuss the wave of high-profile distributed denial of service attacks on U.S. banks.
During the recent interview with Flashpoint Global Partners, an international consulting firm, the hacktivist representative said more attacks would be waged and that methods of attacks would diverge, until a YouTube movie trailer deemed by the group to cast Islam in a negative light is removed from the Internet.
"We have done what we had promised," the source said. "If the film isn't removed, we'll use our other abilities according to the new conditions."
No New Attacks
Since Sept. 18, the group has taken credit for attacks on 10 leading U.S. banks: Bank of America, JPMorgan Chase, Wells Fargo, PNC, U.S. Bank, CapitalOne, HSBC, SunTrust, Regions and BB&T. No new attacks have been claimed by the group since mid-October.
In early November, Webster Bank and Zions Bancorp also suffered from DDoS attacks, which caused intermittent outages to their online-banking sites for several hours. While the attacks were not linked directly to Izz ad-Din al-Qassam, Zions spokesman Rob Brough said the bank did not know who was behind the attack.
"There's no way for us to know if the attack against us was just the next one [in the series of attacks waged by Izz ad-Din al-Qassam] or if it was just a coincidence," Brough said. "What I can tell you is that we were well-prepared because of the other incidents. When we recognized that it was a DDoS attack, we had plans in place."
DDoS and Fraud?
The attacks have been concerning for two reasons: customer frustration with online-banking inaccessibility and the possibility of fraud being perpetrated in the background. On Sept. 17, the Federal Bureau of Investigation, along with the Financial Services Information Sharing and Analysis Center, issued a warning about DDoS being waged to mask incidents of account takeover occurring simultaneously.
In their alert, the FBI and FS-ISAC note recent attacks that linked DDoS to fraud. "In some of the incidents, before and after unauthorized transactions occurred, the bank or credit union suffered a distributed denial of service (DDoS) attack against their public Web site(s) and/or Internet Banking URL," the alert states. "The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer" (see High Risk: What Alert Means to Banks).
So far, no bank has reported fraud linked to DDoS attacks waged by Izz ad-Din al-Qassam, but security experts question what might really be taking place in the background.
Questioning Consultants' Competency
The latest interview with Izz ad-Din al-Qassam marks the third time a member claiming affiliation with the group has spoken out on the attacks.
On Oct. 31, ABC News was granted an e-mail interview, and on Nov. 7 technology news site Softpedia was given e-mailed insights.
During all interviews, alleged members of the Izz ad-Din al-Qassam group stressed the group was not supported by any nation-state, government or other hacktivist group, and that all of its members were merely tech-savvy volunteers with a common mission to see the YouTube video removed (see Hacktivist Speaks Out About DDoS).
In the most recent interview, the respondent defends Izz ad-Din al-Qassam's purpose as well as the efficacy of its attacks. "Many of [the] technical comments during the attacks have made us doubtful about [the] technical competence of American companies' security consultants," the respondent said, when asked by Flashpoint if the botnets it used also have attacked web-hosting companies and Internet service providers.
"Many of [the] technical statements about this case are not scientific, reliable or significant," the source added.
Break Suspicious, But Expected
An Oct. 23 Pastebin post notes the group's plans to temporarily halt attacks in honor of a three-day Muslim holiday. Pastebin is the public online forum Izz ad-Din al-Qassam has used to communicate updates about its attacks.
The continued break from attacks is curious, says Mike Smith, a security evangelist and DDoS specialist at Web security provider Akamai Technologies. It's just difficult to know who is behind which attacks, he says.
Speculating is pointless, he says. What is clear, however, is that banking institutions and other organizations are continually targeted, and staying ahead of these attacks, regardless of who wages them, is a necessity.
"We get two or more large attacks per week against our entire customer base and countless smaller ones," Smith says. But connecting those to one hacktivist group over another is nearly impossible, he adds. "Some of those targets are financial services, some are not."
Information-sharing shortens response time, he adds.
"It's always tough to be the first target when a new attacker or technique appears because you have to work your way to a diagnosis and implement blocking: things that take time," Smith says. "However, good incident managers and organizations doing threat intelligence share what they know with each other, so that during subsequent attacks, although of the same magnitude and lethality, the targeted organizations know what indicators there are to the start of the attack and what techniques worked the best in previous attacks."