More U.S. Banks Report Online Woes

Wells, U.S. Bank, PNC Now Among Institutions Linked to Attacks
More U.S. Banks Report Online Woes

The online-banking and website outages and glitches reported Sept. 26 by U.S. Bank and PNC Bank are likely the result of foreign attacks, says Bill Wansley, a financial fraud and security consultant at Booz Allen Hamilton.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Wells Fargo took a similar hit on Sept. 25, and all three new site outages are likely linked to similar online outages experienced a week earlier by Bank of America and Chase Bank, Wansley says.

Late Sept. 26, published reports said that PNC acknowledged some customers reported trouble accessing PNC.com, but that the bank had implemented additional security precautions, based on threats made to take down the PNC site Sept. 27.

PNC is now the fifth major U.S. bank suspected of being targeted by the group known as Izz ad-Din al-Qassam Cyber Fighters. The group has been keeping institutions up-to-date about its targets through threats posted on Pastebin.

Experts believe all of the site outages stem from denial of service attacks. Affected banking institutions, however, have not confirmed or denied those claims.

Wansley says he's not certain, either, that these attacks are backed by the Iranian government, as some reports have speculated (see High Risk: What Alert Means to Banks).

He says it seems clear, however, that Izz ad-Din al-Qassam is connected to all of the attacks - and that more banks will be targeted.

But determining who's actually behind the attacks, or the motivations for the attacks, could take some time, Wansley says. Izz ad-Din al-Qassam has denied allegations that its actions are backed by Iran.

"This particular series of attacks seem to be unique and have a different character than previous attacks," Wansley adds. "But what we should take away from this is that we're now starting to get ahead of them and give notice and warning so banks can prepare."

The Attack Details

The most recent outages, which affected PNC and U.S. Bank, are believed to have occurred on the same day. At U.S. Bank, site outages began sometime during the morning of Sept. 26.

A U.S. Bank spokesman told the Minneapolis StarTribune the bank's website was suffering "intermittent connectivity issues" that began around 8:30 a.m. ET. Wansley says it's safe to assume - based on earlier claims made by Izz ad-Din al-Qassam that U.S. Bank was a planned target - that the outage is linked to an attack.

Other reports suggest Wells Fargo's site started to suffer outages at about 2 p.m. ET Sept. 25. At 4 p.m., the bank acknowledged through a tweet that its site was having trouble.

Wells Fargo has not publicly acknowledged what caused the site issues. But in response to an inquiry submitted by BankInfoSecurity, Wells Fargo says it is continuing to monitor the problem.

"We apologize to customers who may be experiencing intermittent access issues to wellsfargo.com and online banking," spokeswoman Sara Hawkins says. "We are working to quickly resolve this issue. Customers can still access their accounts through our ATMs, stores and by phone."

Bank of America also was reluctant to release many details about its Sept. 18 outage, which came one day before the Financial Services Information Sharing and Analysis Center for the first times raised the cyberthreat level for U.S. banking institutions from "elevated" to "high."

BofA's online banking site reportedly experienced periodic slowdowns. Izz ad-Din al-Qassam claimed responsibility for the outage, but those claims could not be verified.

"In response to the group's claims, I can assure you that our customer and client information, our online banking platform and the related systems remain safe and secure," says BofA spokesman Mark Pipitone. "Our online banking services have been, and are up and running. The vast majority of our customers did not experience any issues."

And the site issues that struck Chase a day later, on Sept. 19, seem too similar to not be connected, says Julie McNelley, a fraud and security analyst at financial consultancy Aite.

"Unfortunately, this is now the reality for prominent U.S. brands," McNelley says. "They are now at risk of being targeted as a political statement, for activities wholly unrelated to their own business. ... The fact that Chase's site had problems the following day may mean that the hackers re-directed their attempt at another prominent banking brand instead."

A Chase spokesman confirmed that some customers experienced trouble logging on to the site for a couple of days, but said that banking services remained secure and access to accounts through other channels were not affected.

Atypical Attacks

The DDoS attacks that are believed to have hit U.S. banks differ from typical hacktivist attacks, Wansley says. For one, Izz ad-Din al-Qassam, the group are taking credit for the recent site outages, has not historically been affiliated with hacktivism.

"When you see a lot of noise on the Internet announcing that they're going to attack and then the attack happens and then they start bragging when that's accomplished, that's a typical pattern of some of the hacktivist groups," he says. "In this case, there's a group that has an Arabic name that has never at all been associated with cyberactivity. It's been more associated with Hamas. And for all of the sudden for them to become a hacktivist group, it's just really interesting. We've never seen that before."

Whether the hacktivist group is, indeed, affiliated with Hamas, the political party that governs the Gaza Strip, is not known.

And Wansley says some of the attacks seem to suggest more is being targeted in the background, though he would not elaborate. He did say, however, that banking institutions had reported three different types of DDoS attacks, which could mean the attackers are altering their methods as new attacks are waged.

"It looks like there is a secondary, parallel attack chain that is happening underneath," he says. "So, it's interesting, and we're just watching to see what happens next."

Those differences from typical hacktivist attacks could suggest Izz ad-Din al-Qassam is being used as a cover for attacks actually being waged against U.S. banks by some other country or organization, Wansley says. And it appears the attacks are coming out of Iran, based on the IP addresses from where the attacks originated.

U.S. banking institutions are clearly the primary targets, Wansley adds. And that the FS-ISAC has elevated the cyberthreat level to high is no coincidence. "It proves there is a specific threat, and that is pretty obvious and has been supported by what's been posted on the Internet," he adds.

But the good news is that U.S. banks and credit unions are being forewarned by posts on Pastebin, information on social-networking sites posted by consumers, and alerts from federal authorities, Wansley says. The industry is getting ahead of these attacks, which is giving targeted institutions time to brace.

Wansley says the information-sharing and tracking systems the FBI and FS-ISAC have implemented and fostered are working.

What's Next?

Though the original Pastebin post is no longer visible, the group taking credit for the Wells takedown says other large institutions in Israel, France and United Kingdom will be next, if the U.S. does not remove the "Innocence of Muslims" video from the Web (see EU Banks Not Prepared for Attacks).

The brief YouTube video, referred to by Izz ad-Din al-Qassam as casting a negative light on Islam, has reportedly been removed by Google in some countries, but not the U.S. and other markets, where freedom of expression violates no laws.

Iran also has reportedly blocked Google's services because of the video.

Steps Banks Should Take

Banks need to ensure they are notifying customers of increasing cyberthreats, Wansley stresses. Institutions also need to ask customers and members to notify them if they receive suspicious e-mails or are directed to suspicious sites, he advises.

U.S. banks should ensure they have adequate security protocols, and that they are regularly reviewing those protocols.

Software patches and updates must be reviewed. "They need to make sure they don't have any random servers out there unprotected" as well, Wansley says.

Institutions need to understand the threats in order to protect themselves, Wansley adds.

"We've seen three different types of attacks in the last couple of days," he adds. "And I'm sure those banks were collaborating with other peer banks to find out what those types of attacks were, what IP addresses were used so that they could block them, and really kind of tighten up their own infrastructure to prepare for an attack."


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network