Attacks/Breaches
9/28/2012
09:59 AM
Connect Directly
RSS
E-Mail
50%
50%

PNC Bank Hit By Crowdsourced Hacktivist Attacks

Financial services website disrupted by DDoS attacks launched to protest anti-Muslim film, following similar attacks against Wells Fargo, U.S. Bank, and Bank of America.

After attacking the websites of Wells Fargo and U.S. Bank earlier this week, Muslim hacktivists Thursday also claimed credit for disrupting the PNC Financial Services Group website.

The attacks were carried out under the banner of "Operation Ababil," which last week disrupted the websites of Bank of America and JPMorgan Chase. This week's banking attacks--against Wells Fargo Tuesday, U.S. Bank Wednesday, and PNC Bank Thursday--had been previewed in a Pastebin post uploaded by a hacktivist group calling itself Cyber fighters of Izz ad-din Al qassam.

Likewise, a Thursday post to the Hilf-Ol-Fozoul blog--which has promoted Operation Ababil and shared links to distributed denial-of-service (DDoS) tools--credited the Cyber fighters of Izz ad-din Al qassam with having organized the recent banking website attacks.

[ Could an international agreement stop international cyber warfare? The Case For A Cyber Arms Treaty. ]

PNC didn't immediately respond to an emailed request for comment about the attacks. But PNC spokesman Fred Solomon told Threatpost Thursday that "traffic to our sites is heavy today and it's of a similar pattern to that seen by other banks of late."

The Cyber fighters of Izz ad-din Al qassam have said that the attacks against U.S. financial services websites are being launched in retaliation for the release of the Innocence of Muslims film that mocks the founder of Islam. A 14-minute clip of the film, uploaded to YouTube by its director, a man going by the name Sam Bacile, helped trigger numerous riots across the Middle East.

But former U.S. government officials, speaking anonymously, have accused the Iranian government of being behind the attacks against financial institutions, which they said began about a year ago. The Iranian government, however, has denied any involvement.

Meanwhile, Dmitri Alperovich, CTO of security firm CrowdStrike, doesn't think the attacks are just about protesting online, not least because the name of the group involved is the same as the military branch of Hamas. "I don't buy that their motivation is in response to the video; this group has been carrying out attacks for months," he told Threatpost. "Their motivation is to send a message that this is what they're capable of."

Regardless of whoever's organizing the financial website DDoS attacks, the campaign appears to be crowdsourced and receiving grassroots-level support, according to Atif Mushtaq, a security researcher at FireEye. "When I heard about this DDoS, the first things I wanted to find was the nature of the DDoS attack," said Mushtaq via email. "Like, is it being done using some botnet, or is it a community based action? If it is being done using some botnet, then who is operating this botnet--is it a simple 'pay for DDOS' scenario where attacker(s) rent a botnet to attack someone, or [have] attackers built their own botnet?"

According to Mushtaq, "it's most likely a community-based action, not a botnet," based in part on a September 18 post on the blog titled "Come and support Prophet Muhammed on the Internet," which urged to people to download attack tools--via included file-sharing websites--and use them to attack the Bank of America and New York Stock Exchange websites, in support of the Cyber fighters of Izz ad-din Al qassam. "They are asking people to download a RAR file containing an HTML file, and run it from their desktop," said Mushtaq. "From this point onwards DDoS will be handled by these scripts alone."

If protesting online is the goal of the attacks, what might convince the hacktivists involved to wrap up their campaign? A post to the Hilf-Ol-Fozoul blog called on U.S. authorities to "punish the cast and crew, the publisher included," of Innocence of Muslims film, at which time it said "this story will end."

The U.S. government has already been moving to distance itself from the film. Earlier this week, in an address to the United Nations General Assembly, President Barack Obama criticized the video as being "crude and disgusting" and reiterated that the U.S. government had no hand in creating it. "It is an insult not only to Muslims, but to America as well," he said, but noted that the film was likewise protected by U.S. law. "I know there are some who ask why don't we just ban such a video. The answer is enshrined in our laws. Our Constitution protects the right to practice free speech."

Thursday, however, the alleged filmmaker behind the Innocence of the Muslims was arrested in Los Angeles. Authorities have accused the man, Nakoula Basseley Nakoula, of violating the terms of his 2010 conviction for banking fraud. According to news reports, during his case law enforcement officials alleged that Nakoula had opened credit card and bank accounts using other people's names, written checks in other people's names, and then attempted to deposit those checks and withdraw the money.

After pleading guilty to a bank fraud charge, Nakoula served 21 months in prison, and was released in June 2011. But as part of his probation, he's barred from using a computer unless under supervision. Authorities said they suspect that Nakoula--a Christian who's originally from Egypt--said he was Sam Bacile when speaking with news media about the film.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
10/1/2012 | 1:08:42 AM
re: PNC Bank Hit By Crowdsourced Hacktivist Attacks
This looks to be more a case of "Oh look, now we have a reason to rally behind in order to cover our real cause" as opposed to simply getting a bunch of folks together to attack a website.

I have to wonder though - at what point does this kind of "protest" (as they call it) cross the line from being a Freedom of Speech thing into cyber attack territory?

Also, what this group is really showing that they're doing is that they can waste resources - it takes power to both generate this "attack" and transmit it to their targets. Not that I'm an expert in Islam, but isn't there something involved in that faith that says that humanity has to take care of the Earth that they've been given? Is wasting resources in the name of your religious beliefs really the best way to do that?

From a tech standpoint - the idea behind this is somewhat laughable. Let's enlist everyone within ear shot to join a group in order to attack a target. Given that you're using a digital means in order to do that, not only is it deflectable with the appropriate countermeasures, but it also will help those whom you are attacking to determine just who you are and remove your anonymity - anything in the digital domain can be traced with enough effort.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.