Attacks/Breaches
9/28/2012
09:59 AM
Connect Directly
RSS
E-Mail
50%
50%

PNC Bank Hit By Crowdsourced Hacktivist Attacks

Financial services website disrupted by DDoS attacks launched to protest anti-Muslim film, following similar attacks against Wells Fargo, U.S. Bank, and Bank of America.

After attacking the websites of Wells Fargo and U.S. Bank earlier this week, Muslim hacktivists Thursday also claimed credit for disrupting the PNC Financial Services Group website.

The attacks were carried out under the banner of "Operation Ababil," which last week disrupted the websites of Bank of America and JPMorgan Chase. This week's banking attacks--against Wells Fargo Tuesday, U.S. Bank Wednesday, and PNC Bank Thursday--had been previewed in a Pastebin post uploaded by a hacktivist group calling itself Cyber fighters of Izz ad-din Al qassam.

Likewise, a Thursday post to the Hilf-Ol-Fozoul blog--which has promoted Operation Ababil and shared links to distributed denial-of-service (DDoS) tools--credited the Cyber fighters of Izz ad-din Al qassam with having organized the recent banking website attacks.

[ Could an international agreement stop international cyber warfare? The Case For A Cyber Arms Treaty. ]

PNC didn't immediately respond to an emailed request for comment about the attacks. But PNC spokesman Fred Solomon told Threatpost Thursday that "traffic to our sites is heavy today and it's of a similar pattern to that seen by other banks of late."

The Cyber fighters of Izz ad-din Al qassam have said that the attacks against U.S. financial services websites are being launched in retaliation for the release of the Innocence of Muslims film that mocks the founder of Islam. A 14-minute clip of the film, uploaded to YouTube by its director, a man going by the name Sam Bacile, helped trigger numerous riots across the Middle East.

But former U.S. government officials, speaking anonymously, have accused the Iranian government of being behind the attacks against financial institutions, which they said began about a year ago. The Iranian government, however, has denied any involvement.

Meanwhile, Dmitri Alperovich, CTO of security firm CrowdStrike, doesn't think the attacks are just about protesting online, not least because the name of the group involved is the same as the military branch of Hamas. "I don't buy that their motivation is in response to the video; this group has been carrying out attacks for months," he told Threatpost. "Their motivation is to send a message that this is what they're capable of."

Regardless of whoever's organizing the financial website DDoS attacks, the campaign appears to be crowdsourced and receiving grassroots-level support, according to Atif Mushtaq, a security researcher at FireEye. "When I heard about this DDoS, the first things I wanted to find was the nature of the DDoS attack," said Mushtaq via email. "Like, is it being done using some botnet, or is it a community based action? If it is being done using some botnet, then who is operating this botnet--is it a simple 'pay for DDOS' scenario where attacker(s) rent a botnet to attack someone, or [have] attackers built their own botnet?"

According to Mushtaq, "it's most likely a community-based action, not a botnet," based in part on a September 18 post on the blog titled "Come and support Prophet Muhammed on the Internet," which urged to people to download attack tools--via included file-sharing websites--and use them to attack the Bank of America and New York Stock Exchange websites, in support of the Cyber fighters of Izz ad-din Al qassam. "They are asking people to download a RAR file containing an HTML file, and run it from their desktop," said Mushtaq. "From this point onwards DDoS will be handled by these scripts alone."

If protesting online is the goal of the attacks, what might convince the hacktivists involved to wrap up their campaign? A post to the Hilf-Ol-Fozoul blog called on U.S. authorities to "punish the cast and crew, the publisher included," of Innocence of Muslims film, at which time it said "this story will end."

The U.S. government has already been moving to distance itself from the film. Earlier this week, in an address to the United Nations General Assembly, President Barack Obama criticized the video as being "crude and disgusting" and reiterated that the U.S. government had no hand in creating it. "It is an insult not only to Muslims, but to America as well," he said, but noted that the film was likewise protected by U.S. law. "I know there are some who ask why don't we just ban such a video. The answer is enshrined in our laws. Our Constitution protects the right to practice free speech."

Thursday, however, the alleged filmmaker behind the Innocence of the Muslims was arrested in Los Angeles. Authorities have accused the man, Nakoula Basseley Nakoula, of violating the terms of his 2010 conviction for banking fraud. According to news reports, during his case law enforcement officials alleged that Nakoula had opened credit card and bank accounts using other people's names, written checks in other people's names, and then attempted to deposit those checks and withdraw the money.

After pleading guilty to a bank fraud charge, Nakoula served 21 months in prison, and was released in June 2011. But as part of his probation, he's barred from using a computer unless under supervision. Authorities said they suspect that Nakoula--a Christian who's originally from Egypt--said he was Sam Bacile when speaking with news media about the film.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
10/1/2012 | 1:08:42 AM
re: PNC Bank Hit By Crowdsourced Hacktivist Attacks
This looks to be more a case of "Oh look, now we have a reason to rally behind in order to cover our real cause" as opposed to simply getting a bunch of folks together to attack a website.

I have to wonder though - at what point does this kind of "protest" (as they call it) cross the line from being a Freedom of Speech thing into cyber attack territory?

Also, what this group is really showing that they're doing is that they can waste resources - it takes power to both generate this "attack" and transmit it to their targets. Not that I'm an expert in Islam, but isn't there something involved in that faith that says that humanity has to take care of the Earth that they've been given? Is wasting resources in the name of your religious beliefs really the best way to do that?

From a tech standpoint - the idea behind this is somewhat laughable. Let's enlist everyone within ear shot to join a group in order to attack a target. Given that you're using a digital means in order to do that, not only is it deflectable with the appropriate countermeasures, but it also will help those whom you are attacking to determine just who you are and remove your anonymity - anything in the digital domain can be traced with enough effort.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.