Attacks/Breaches
3/27/2013
09:47 AM
Connect Directly
RSS
E-Mail
50%
50%

Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions

Muslim hacktivists continue third wave of takedowns, submit invoice protesting "Innocence of Muslims" video that mocks founder of Islam.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Wells Fargo's website suffered disruptions Tuesday, after the al-Qassam Cyber Fighters hacktivist group vowed to continue its long-running campaign of U.S. banking website takedowns.

According to website downtime and outage reporting service Sitedown.co, over the past 24 hours, banking customers posted higher than normal numbers of downtime reports for Wells Fargo (232 reports) and Bank of America (46 reports). Some customers also reported difficulties accessing the websites of Chase, Capital One, Citibank and PNC Bank, and in some cases also the banks' mobile banking sites.

Wells Fargo spokeswoman Bridget Braxton confirmed Tuesday that the bank's website was being disrupted, but told Reuters that "the vast majority of customers are not impacted and customer information remains safe." She also noted that the disruptions were intermittent, and recommended customers who couldn't access the Wells Fargo website keep trying.

[ U.S. banks aren't the financial institutions under attack. Learn How South Korean Bank Malware Spread. ]

By the tally of the al-Qassam Cyber Fighters, which is a self-proclaimed group of Muslim hacktivists, this is now the fourth week in the third wave of its distributed denial-of-service (DDoS) attack campaign, which it's dubbed Operation Ababil. "During last week the below list of banks and/or financial services were being chosen as target: BB&T, PNC, Chase, Citibank, U.S. Bancorp, Suntrust, Fifth Third Bancor, Wells Fargo and some others," according to a statement posted Tuesday to Pastebin by the group, announcing that the DDoS attacks would be continuing.

The group's statement failed to identify its list of bank targets for the current week, but did include a mock invoice, which claims the current DDoS attack volume being unleashed is based on an equation the group has cooked up that estimates the "approximate cost on U.S. banks per each DDoS minute" to be $30,000, and charges them $100 "for each view/like" on YouTube of any copy of Innocence of Muslims. That video, which mocks the founder of Islam, was first posted to YouTube in July 2012, and has long been cited by al-Qassam Cyber Fighters as the reason for its attacks.

This week, according to the group's statement, "the united states must still pay because of the insult," and promised to continue the banking website disruptions "until all copies of the insulting movie (both trailer and full version) are removed."

The first bank attacks were launched in September 2012, followed by another round in late 2012. Earlier this month, meanwhile, the al-Qassam Cyber Fighters announced that they'd be commencing a third wave of attacks.

With each new wave of attacks, the scale and sophistication of disruptions has continued to increase. "The third wave of attacks has matured in several meaningful ways," Dan Holden, director of security research at Arbor Networks, recently said via email. "The size of the botnet has continued to grow, new techniques and toolkits are being developed and the attackers continue to focus further on the application level."

Those tools and tactics include the use of the "itsoknoproblembro" toolkit -- also known as Brobot -- that can achieve sustained floods of 70 Gbps and 30 million packets per second, as well as compromising legitimate WordPress and PHP websites and using them as staging grounds for launching DDoS attacks.

"The attackers are beginning to use more sophisticated tactics as defensive capabilities improve and mitigation against the attacks continues to be successful," said Holden. "We are seeing randomization capabilities in the attack tools for the first time during the approximately seven-month campaign. We expect these trends to continue as the campaign carries on."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Bryan Yurcan
50%
50%
Bryan Yurcan,
User Rank: Apprentice
3/27/2013 | 11:33:17 PM
re: Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions
These type of attacks against banks, while always existing, have definitely been ramped up in the last 6 months or so. This highlights the need for information sharing and cooperation between financial institutions regarding security threats.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/3/2013 | 2:52:35 AM
re: Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions
Is anyone keeping track of the amount of traffic that these folks are using to wage these attacks? I'd love to see them prosecuted and fined, per byte. At 70 Gbps, even in bursts, that's not going to be cheap.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

CVE-2014-3372
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90589.

CVE-2014-3373
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed Number Analyzer interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCup92550.

CVE-2014-3374
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90582.

CVE-2014-3375
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Service interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90597.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.