Attacks/Breaches
10/2/2012
11:51 AM
Connect Directly
RSS
E-Mail
50%
50%

Bank Site Attacks Trigger Ongoing Outages, Customer Anger

Who's really behind the recent bank DDoS attacks? They are more diverse and powerful than previously seen hacktivist campaigns, security experts say.

Over the past two weeks, the websites of multiple financial institutions--including Bank of America, JPMorgan Chase, PNC, U.S. Bank, and Wells Fargo--have been targeted by attackers, leading to their websites being disrupted. Furthermore, some banks appear to still be suffering related outages.

That's led more than 1,000 customers of those institutions to file related complaints with Site Down, a website that tracks outages. Customers have reported being unable to their access checking, savings, and mortgage accounts, as well as bill-paying and other services, via the affected banks' websites and mobile applications.

Many of the banks' customers have also criticized their financial institutions for not clearly detailing what was happening, or what the banks were doing about it. "It was probably the least impressive corporate presentation of bad news I've ever seen," Paul Downs, a small-business owner in Bridgeport, Pa., told The New York Times, where he's also a small-business blogger.

A hacktivist group calling itself the Cyber fighters of Izz ad-din Al qassam has taken credit for the attacks, which it's dubbed Operation Ababil, meaning "swarm" in Arabic. It said the attacks are meant to disrupt U.S. banking operations in retaliation for the release of the Innocence of Muslims film that mocks the founder of Islam.

[ Learn how Iran is reacting to that controversial movie, released on YouTube. See Iran Removes Gmail Block. ]

Some of the attacked banks' websites still appear to be experiencing outages, but Dan Holden, director of security for the Arbor Security Engineering and Response Team, said he's seen no signs that any active attacks are currently underway. "Obviously, we're only one day into the week, but we didn't see anything yesterday, and while [the Cyber fighters of Izz ad-din Al qassam] said in the previous post that they'd be working over the weekend, there haven't been any new posts stating that they'd be doing new attacks," he said.

Tuesday, however, multiple Wells Fargo customers were still reporting that they were having trouble accessing the bank's website, or getting it to respond after they'd logged in. "Day 8, still can't get in with Safari or Firefox ... getting old. I have a business to run here," said an anonymous poster to Site Down. "This is getting old," said another.

Asked to comment on reports that the bank's website was continuing to experience outages, a spokeswoman for Wells Fargo repeated a statement released last week, saying via email that "customers can access their accounts through the online and mobile channels."

Multiple Bank of America customers Tuesday also reported problems with the bank's website, with some people saying they'd been experiencing disruptions for 10 days or more. "I agree ... with all the other comments about this problem of being unable to go on line. What in the world is going on--get it fixed!" said an anonymous user Sunday on the Site Down website. But Bank of America spokesman Mark T. Pipitone said via email that the bank's website has been working normally since last Tuesday, and suggested that the scale of any reported website problems was within normal parameters. "We service 30 million online banking customers," he said. "Our online banking services have been, and continue to be, fully functional."

Given attackers' advance warning that they planned to take down the banking websites--which suggested that they'd launch distributed denial-of-service (DDoS) attacks, why didn't banks simply block the attacks? As one PNC customer said in an online forum, "Come on PNC! Never heard of content delivery networks to make these attacks more difficult?? ... Please invest in a more capable network security team and take care of your customers!"

But Arbor's Holden, speaking by phone, said that the attackers had used multiple DDoS tools and attack types--including TCP/IP flood, UDP flood, as well as HTTP and HTTPS application attacks--together with servers sporting "massive bandwidth capacity." So while the attacks weren't sophisticated, they succeeded by blending variety and scale.

Given the massive bandwidth used in the attacks, were they really launched by hacktivists, which is what the attackers have claimed they are? Former U.S. government officials, speaking anonymously to various media outlets, have instead directly accused Iran of launching the attacks. Regardless of whether Iran is involved, Holden said that the bank attacks don't resemble previously seen hacktivist attacks, which typically involved botnets of endpoint-infected PCs, or people who opted in to the attack, for example by using the Low Orbit Ion Canon JavaScript DDoS tool from Anonymous.

"With Anonymous ... you'd see those people coming together and launching an attack with a given tool," Holden said. "With this, yes, you're seeing multiple types of attacks, multiple tools, and while blended attacks are common, they're not so common with classic hacktivism, or hacktivism that we've witnessed in the past."

In other words, "we don't know whether it's hacktivism or whether it's not," said Holden. "There's nothing really backing up the advertisement that this was a bunch of angry people. If it is, it's people who have gone out with a particular skill set, or hired someone with a particular skill set, to launch these particular attacks." But whoever's involved in these attacks has quite a lot of knowledge related to the art of launching effective DDoS website takedowns, and has access to high-bandwidth servers, which they've either compromised, rented, or been granted access to.

Interestingly, the attackers do appear to have taken a page from the Anonymous attack playbook. "We don't have all the information about which specific techniques have been used against the U.S. banks so far, but the 'Izz ad-Din al-Qassam Cyber Fighters' scripts are based on the JS LOIC scripts used by Anonymous as well," said Jaime Blasco, AlienVault's lab manager, via email.

But like Holden, Blasco said that the bank website attackers had used much more than just JavaScript. "The number of queries/traffic you need to generate to affect the infrastructure of those targets is very high," he said. "To affect those targets, you need thousands of machines generating traffic, and ... other types of DDoS."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
banklook
50%
50%
banklook,
User Rank: Apprentice
10/8/2012 | 9:54:49 PM
re: Bank Site Attacks Trigger Ongoing Outages, Customer Anger
@Moarsauce: you're generally right, except banks are each different, some work harder than others. For example, tdbank.com and everbank.com score higher CloudPower scores than any of the banks affected during the attacks last week. Banks are generally old-fashioned and are sort of late to the 'let's do this online' party. You can see yourself at banklook.com.

-Eric
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
10/6/2012 | 1:48:46 PM
re: Bank Site Attacks Trigger Ongoing Outages, Customer Anger
Welcome to the cloud. This is the sole reason why I don't bank with online only banks. The customers of the affected banks at least have an option to find a branch office and do business there, although it is less convenient. Try that with ING Direct or others. As a customer should I drive to the data center and start talking to the server?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.