Attacks/Breaches
3/27/2013
09:47 AM
50%
50%

Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions

Muslim hacktivists continue third wave of takedowns, submit invoice protesting "Innocence of Muslims" video that mocks founder of Islam.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Wells Fargo's website suffered disruptions Tuesday, after the al-Qassam Cyber Fighters hacktivist group vowed to continue its long-running campaign of U.S. banking website takedowns.

According to website downtime and outage reporting service Sitedown.co, over the past 24 hours, banking customers posted higher than normal numbers of downtime reports for Wells Fargo (232 reports) and Bank of America (46 reports). Some customers also reported difficulties accessing the websites of Chase, Capital One, Citibank and PNC Bank, and in some cases also the banks' mobile banking sites.

Wells Fargo spokeswoman Bridget Braxton confirmed Tuesday that the bank's website was being disrupted, but told Reuters that "the vast majority of customers are not impacted and customer information remains safe." She also noted that the disruptions were intermittent, and recommended customers who couldn't access the Wells Fargo website keep trying.

[ U.S. banks aren't the financial institutions under attack. Learn How South Korean Bank Malware Spread. ]

By the tally of the al-Qassam Cyber Fighters, which is a self-proclaimed group of Muslim hacktivists, this is now the fourth week in the third wave of its distributed denial-of-service (DDoS) attack campaign, which it's dubbed Operation Ababil. "During last week the below list of banks and/or financial services were being chosen as target: BB&T, PNC, Chase, Citibank, U.S. Bancorp, Suntrust, Fifth Third Bancor, Wells Fargo and some others," according to a statement posted Tuesday to Pastebin by the group, announcing that the DDoS attacks would be continuing.

The group's statement failed to identify its list of bank targets for the current week, but did include a mock invoice, which claims the current DDoS attack volume being unleashed is based on an equation the group has cooked up that estimates the "approximate cost on U.S. banks per each DDoS minute" to be $30,000, and charges them $100 "for each view/like" on YouTube of any copy of Innocence of Muslims. That video, which mocks the founder of Islam, was first posted to YouTube in July 2012, and has long been cited by al-Qassam Cyber Fighters as the reason for its attacks.

This week, according to the group's statement, "the united states must still pay because of the insult," and promised to continue the banking website disruptions "until all copies of the insulting movie (both trailer and full version) are removed."

The first bank attacks were launched in September 2012, followed by another round in late 2012. Earlier this month, meanwhile, the al-Qassam Cyber Fighters announced that they'd be commencing a third wave of attacks.

With each new wave of attacks, the scale and sophistication of disruptions has continued to increase. "The third wave of attacks has matured in several meaningful ways," Dan Holden, director of security research at Arbor Networks, recently said via email. "The size of the botnet has continued to grow, new techniques and toolkits are being developed and the attackers continue to focus further on the application level."

Those tools and tactics include the use of the "itsoknoproblembro" toolkit -- also known as Brobot -- that can achieve sustained floods of 70 Gbps and 30 million packets per second, as well as compromising legitimate WordPress and PHP websites and using them as staging grounds for launching DDoS attacks.

"The attackers are beginning to use more sophisticated tactics as defensive capabilities improve and mitigation against the attacks continues to be successful," said Holden. "We are seeing randomization capabilities in the attack tools for the first time during the approximately seven-month campaign. We expect these trends to continue as the campaign carries on."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/3/2013 | 2:52:35 AM
re: Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions
Is anyone keeping track of the amount of traffic that these folks are using to wage these attacks? I'd love to see them prosecuted and fined, per byte. At 70 Gbps, even in bursts, that's not going to be cheap.

Andrew Hornback
InformationWeek Contributor
Bryan Yurcan
50%
50%
Bryan Yurcan,
User Rank: Apprentice
3/27/2013 | 11:33:17 PM
re: Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions
These type of attacks against banks, while always existing, have definitely been ramped up in the last 6 months or so. This highlights the need for information sharing and cooperation between financial institutions regarding security threats.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.