Attacks/Breaches
3/27/2013
09:47 AM
Connect Directly
RSS
E-Mail
50%
50%

Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions

Muslim hacktivists continue third wave of takedowns, submit invoice protesting "Innocence of Muslims" video that mocks founder of Islam.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Wells Fargo's website suffered disruptions Tuesday, after the al-Qassam Cyber Fighters hacktivist group vowed to continue its long-running campaign of U.S. banking website takedowns.

According to website downtime and outage reporting service Sitedown.co, over the past 24 hours, banking customers posted higher than normal numbers of downtime reports for Wells Fargo (232 reports) and Bank of America (46 reports). Some customers also reported difficulties accessing the websites of Chase, Capital One, Citibank and PNC Bank, and in some cases also the banks' mobile banking sites.

Wells Fargo spokeswoman Bridget Braxton confirmed Tuesday that the bank's website was being disrupted, but told Reuters that "the vast majority of customers are not impacted and customer information remains safe." She also noted that the disruptions were intermittent, and recommended customers who couldn't access the Wells Fargo website keep trying.

[ U.S. banks aren't the financial institutions under attack. Learn How South Korean Bank Malware Spread. ]

By the tally of the al-Qassam Cyber Fighters, which is a self-proclaimed group of Muslim hacktivists, this is now the fourth week in the third wave of its distributed denial-of-service (DDoS) attack campaign, which it's dubbed Operation Ababil. "During last week the below list of banks and/or financial services were being chosen as target: BB&T, PNC, Chase, Citibank, U.S. Bancorp, Suntrust, Fifth Third Bancor, Wells Fargo and some others," according to a statement posted Tuesday to Pastebin by the group, announcing that the DDoS attacks would be continuing.

The group's statement failed to identify its list of bank targets for the current week, but did include a mock invoice, which claims the current DDoS attack volume being unleashed is based on an equation the group has cooked up that estimates the "approximate cost on U.S. banks per each DDoS minute" to be $30,000, and charges them $100 "for each view/like" on YouTube of any copy of Innocence of Muslims. That video, which mocks the founder of Islam, was first posted to YouTube in July 2012, and has long been cited by al-Qassam Cyber Fighters as the reason for its attacks.

This week, according to the group's statement, "the united states must still pay because of the insult," and promised to continue the banking website disruptions "until all copies of the insulting movie (both trailer and full version) are removed."

The first bank attacks were launched in September 2012, followed by another round in late 2012. Earlier this month, meanwhile, the al-Qassam Cyber Fighters announced that they'd be commencing a third wave of attacks.

With each new wave of attacks, the scale and sophistication of disruptions has continued to increase. "The third wave of attacks has matured in several meaningful ways," Dan Holden, director of security research at Arbor Networks, recently said via email. "The size of the botnet has continued to grow, new techniques and toolkits are being developed and the attackers continue to focus further on the application level."

Those tools and tactics include the use of the "itsoknoproblembro" toolkit -- also known as Brobot -- that can achieve sustained floods of 70 Gbps and 30 million packets per second, as well as compromising legitimate WordPress and PHP websites and using them as staging grounds for launching DDoS attacks.

"The attackers are beginning to use more sophisticated tactics as defensive capabilities improve and mitigation against the attacks continues to be successful," said Holden. "We are seeing randomization capabilities in the attack tools for the first time during the approximately seven-month campaign. We expect these trends to continue as the campaign carries on."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/3/2013 | 2:52:35 AM
re: Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions
Is anyone keeping track of the amount of traffic that these folks are using to wage these attacks? I'd love to see them prosecuted and fined, per byte. At 70 Gbps, even in bursts, that's not going to be cheap.

Andrew Hornback
InformationWeek Contributor
Bryan Yurcan
50%
50%
Bryan Yurcan,
User Rank: Apprentice
3/27/2013 | 11:33:17 PM
re: Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions
These type of attacks against banks, while always existing, have definitely been ramped up in the last 6 months or so. This highlights the need for information sharing and cooperation between financial institutions regarding security threats.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6856
Published: 2014-10-02
The AHRAH (aka com.vet2pet.aid219426) application 219426 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6857
Published: 2014-10-02
The Car Wallpapers HD (aka com.arab4x4.gallery.app) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6858
Published: 2014-10-02
The Mostafa Shemeas (aka com.mostafa.shemeas.website) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6859
Published: 2014-10-02
The Daum Maps - Subway (aka net.daum.android.map) application 3.9.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6860
Published: 2014-10-02
The Trial Tracker (aka com.etcweb.android.trial_tracker) application 1.1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.