Attacks/Breaches
3/27/2013
09:47 AM
Connect Directly
RSS
E-Mail
50%
50%

Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions

Muslim hacktivists continue third wave of takedowns, submit invoice protesting "Innocence of Muslims" video that mocks founder of Islam.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Wells Fargo's website suffered disruptions Tuesday, after the al-Qassam Cyber Fighters hacktivist group vowed to continue its long-running campaign of U.S. banking website takedowns.

According to website downtime and outage reporting service Sitedown.co, over the past 24 hours, banking customers posted higher than normal numbers of downtime reports for Wells Fargo (232 reports) and Bank of America (46 reports). Some customers also reported difficulties accessing the websites of Chase, Capital One, Citibank and PNC Bank, and in some cases also the banks' mobile banking sites.

Wells Fargo spokeswoman Bridget Braxton confirmed Tuesday that the bank's website was being disrupted, but told Reuters that "the vast majority of customers are not impacted and customer information remains safe." She also noted that the disruptions were intermittent, and recommended customers who couldn't access the Wells Fargo website keep trying.

[ U.S. banks aren't the financial institutions under attack. Learn How South Korean Bank Malware Spread. ]

By the tally of the al-Qassam Cyber Fighters, which is a self-proclaimed group of Muslim hacktivists, this is now the fourth week in the third wave of its distributed denial-of-service (DDoS) attack campaign, which it's dubbed Operation Ababil. "During last week the below list of banks and/or financial services were being chosen as target: BB&T, PNC, Chase, Citibank, U.S. Bancorp, Suntrust, Fifth Third Bancor, Wells Fargo and some others," according to a statement posted Tuesday to Pastebin by the group, announcing that the DDoS attacks would be continuing.

The group's statement failed to identify its list of bank targets for the current week, but did include a mock invoice, which claims the current DDoS attack volume being unleashed is based on an equation the group has cooked up that estimates the "approximate cost on U.S. banks per each DDoS minute" to be $30,000, and charges them $100 "for each view/like" on YouTube of any copy of Innocence of Muslims. That video, which mocks the founder of Islam, was first posted to YouTube in July 2012, and has long been cited by al-Qassam Cyber Fighters as the reason for its attacks.

This week, according to the group's statement, "the united states must still pay because of the insult," and promised to continue the banking website disruptions "until all copies of the insulting movie (both trailer and full version) are removed."

The first bank attacks were launched in September 2012, followed by another round in late 2012. Earlier this month, meanwhile, the al-Qassam Cyber Fighters announced that they'd be commencing a third wave of attacks.

With each new wave of attacks, the scale and sophistication of disruptions has continued to increase. "The third wave of attacks has matured in several meaningful ways," Dan Holden, director of security research at Arbor Networks, recently said via email. "The size of the botnet has continued to grow, new techniques and toolkits are being developed and the attackers continue to focus further on the application level."

Those tools and tactics include the use of the "itsoknoproblembro" toolkit -- also known as Brobot -- that can achieve sustained floods of 70 Gbps and 30 million packets per second, as well as compromising legitimate WordPress and PHP websites and using them as staging grounds for launching DDoS attacks.

"The attackers are beginning to use more sophisticated tactics as defensive capabilities improve and mitigation against the attacks continues to be successful," said Holden. "We are seeing randomization capabilities in the attack tools for the first time during the approximately seven-month campaign. We expect these trends to continue as the campaign carries on."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/3/2013 | 2:52:35 AM
re: Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions
Is anyone keeping track of the amount of traffic that these folks are using to wage these attacks? I'd love to see them prosecuted and fined, per byte. At 70 Gbps, even in bursts, that's not going to be cheap.

Andrew Hornback
InformationWeek Contributor
Bryan Yurcan
50%
50%
Bryan Yurcan,
User Rank: Apprentice
3/27/2013 | 11:33:17 PM
re: Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions
These type of attacks against banks, while always existing, have definitely been ramped up in the last 6 months or so. This highlights the need for information sharing and cooperation between financial institutions regarding security threats.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.