Attacks/Breaches
3/27/2013
09:47 AM
Connect Directly
RSS
E-Mail
50%
50%

Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions

Muslim hacktivists continue third wave of takedowns, submit invoice protesting "Innocence of Muslims" video that mocks founder of Islam.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Wells Fargo's website suffered disruptions Tuesday, after the al-Qassam Cyber Fighters hacktivist group vowed to continue its long-running campaign of U.S. banking website takedowns.

According to website downtime and outage reporting service Sitedown.co, over the past 24 hours, banking customers posted higher than normal numbers of downtime reports for Wells Fargo (232 reports) and Bank of America (46 reports). Some customers also reported difficulties accessing the websites of Chase, Capital One, Citibank and PNC Bank, and in some cases also the banks' mobile banking sites.

Wells Fargo spokeswoman Bridget Braxton confirmed Tuesday that the bank's website was being disrupted, but told Reuters that "the vast majority of customers are not impacted and customer information remains safe." She also noted that the disruptions were intermittent, and recommended customers who couldn't access the Wells Fargo website keep trying.

[ U.S. banks aren't the financial institutions under attack. Learn How South Korean Bank Malware Spread. ]

By the tally of the al-Qassam Cyber Fighters, which is a self-proclaimed group of Muslim hacktivists, this is now the fourth week in the third wave of its distributed denial-of-service (DDoS) attack campaign, which it's dubbed Operation Ababil. "During last week the below list of banks and/or financial services were being chosen as target: BB&T, PNC, Chase, Citibank, U.S. Bancorp, Suntrust, Fifth Third Bancor, Wells Fargo and some others," according to a statement posted Tuesday to Pastebin by the group, announcing that the DDoS attacks would be continuing.

The group's statement failed to identify its list of bank targets for the current week, but did include a mock invoice, which claims the current DDoS attack volume being unleashed is based on an equation the group has cooked up that estimates the "approximate cost on U.S. banks per each DDoS minute" to be $30,000, and charges them $100 "for each view/like" on YouTube of any copy of Innocence of Muslims. That video, which mocks the founder of Islam, was first posted to YouTube in July 2012, and has long been cited by al-Qassam Cyber Fighters as the reason for its attacks.

This week, according to the group's statement, "the united states must still pay because of the insult," and promised to continue the banking website disruptions "until all copies of the insulting movie (both trailer and full version) are removed."

The first bank attacks were launched in September 2012, followed by another round in late 2012. Earlier this month, meanwhile, the al-Qassam Cyber Fighters announced that they'd be commencing a third wave of attacks.

With each new wave of attacks, the scale and sophistication of disruptions has continued to increase. "The third wave of attacks has matured in several meaningful ways," Dan Holden, director of security research at Arbor Networks, recently said via email. "The size of the botnet has continued to grow, new techniques and toolkits are being developed and the attackers continue to focus further on the application level."

Those tools and tactics include the use of the "itsoknoproblembro" toolkit -- also known as Brobot -- that can achieve sustained floods of 70 Gbps and 30 million packets per second, as well as compromising legitimate WordPress and PHP websites and using them as staging grounds for launching DDoS attacks.

"The attackers are beginning to use more sophisticated tactics as defensive capabilities improve and mitigation against the attacks continues to be successful," said Holden. "We are seeing randomization capabilities in the attack tools for the first time during the approximately seven-month campaign. We expect these trends to continue as the campaign carries on."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/3/2013 | 2:52:35 AM
re: Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions
Is anyone keeping track of the amount of traffic that these folks are using to wage these attacks? I'd love to see them prosecuted and fined, per byte. At 70 Gbps, even in bursts, that's not going to be cheap.

Andrew Hornback
InformationWeek Contributor
Bryan Yurcan
50%
50%
Bryan Yurcan,
User Rank: Apprentice
3/27/2013 | 11:33:17 PM
re: Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions
These type of attacks against banks, while always existing, have definitely been ramped up in the last 6 months or so. This highlights the need for information sharing and cooperation between financial institutions regarding security threats.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.