10:42 AM

U.S. Bank Hacks Expand; Regions Financial Hit

Attacks by self-described Muslim hackers, now in their fourth week, hit Regions Financial Thursday. Hacking campaign has also disrupted Capital One and SunTrust banking websites.

Regions Financial Thursday became the latest U.S. bank to have its website attacked and disrupted by self-described Muslim hackers, as part of their ongoing "Operation Ababil" online attack campaign.

"We are experiencing an Internet service disruption that is intermittently impacting our customers' ability to access our website or use our online banking service," said Regions Financial spokesman Mel Campbell Thursday in a statement, according to news reports. "We are working quickly to resolve this issue and regret any inconvenience customers may be experiencing."

Early Friday morning, the Regions website appeared to still be inaccessible, but by later in the day, it appeared to once again be available. A spokesman for Regions didn't immediately respond to an emailed query about exactly when the attack against the bank's website had begun, or how long it had lasted.

[ Hackers aren't always motivated by money. Read more at How Cybercriminals Choose Their Targets. ]

The Regions website disruption followed similar distributed denial-of-service (DDoS) attacks launched against the websites of Capital One on Tuesday, and SunTrust on Wednesday.

Capital One spokeswoman Pam Garardo said via email that on Oct. 9, Capital One experienced intermittent access to some online systems due to a denial-of-service attack. She emphasized that other bank channels--branches, call centers, ATMs, as well as its ING Direct and HSBC credit card websites--were not affected, and that no customer or account information had been exposed. "Online servicing channels were fully restored within a few hours," she said.

In the case of SunTrust, Fox Business reported Wednesday that when attempting to log on, some customers have been complaining of receiving one of two error messages: 'Server Unavailable' or 'Server is too busy. According to news reports, a SunTrust spokesman said Wednesday, "We have seen increased traffic today and have experienced some intermittent service availability."

As of Friday, however, the bank's website appeared to be fully accessible. SunTrust spokesman Mike McCoy, when asked via email about exactly when the attacks had begun and ended, replied, "We are not commenting further on the matter as we typically don't comment on security-related matters."

As with recent similar attacks, all three bank attacks had been announced in advance via a Pastebin post--the latest uploaded Monday--by a group calling itself the Izz ad-Din al-Qassam Cyber Fighters.

According to The New York Times, the name of the hacking--or hacktivist--group references "Izz ad-Din al-Qassam, a Muslim holy man who fought against European forces and Jewish settlers in the Middle East in the 1920s and 1930s." The hackers said they've launched their banking attacks in retaliation for the release of the "Innocence of Muslims" film that mocks the founder of Islam. A 13-minute clip of the film was uploaded last month to YouTube.

The film has been attributed to Nakoula Basseley Nakoula (a.k.a. Mark Basseley Youssef), 55, who appeared Wednesday in Los Angeles U.S. District Court. Federal prosecutors had accused Nakoula of eight violations of his probation, stemming from a 2010 conviction on bank fraud charges, which could see him returned to prison for two years. He was arrested Sept. 28 for the alleged parole violations, which include using aliases, using a computer without supervision, and lying to his probation officer. But in his court appearance, Nakoula denied all of the charges against him. He's next due back in court Nov. 9.

Attackers' apparent motivations aside, do the bank website disruptions herald a new era in online attacks? "A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyze the nation," said Secretary of Defense Leon Panetta Thursday, in a speech at a black-tie event held by the Business Executives for National Security on the Intrepid Sea, Air and Space Museum in New York.

"In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called 'distributed denial-of-service' attacks," he said. "These attacks delayed or disrupted services on customer websites. While this kind of tactic isn't new, the scale and speed was unprecedented."

But security firm Prolexic, which has been tracking the tools and techniques used in the banking website disruptions, begged to differ with Panetta's analysis. "These are big, but we've seen this big before," said Neal Quinn, chief operating officer of Prolexic, told Wired. "We've seen events this big in the past."

Still, the attacks have been notable because even with attackers' prior warning, they've managed to disrupt the websites of some of the country's largest financial firms, including Bank of America, JPMorgan Chase, PNC, U.S. Bank, and Wells Fargo. As that skill and sophistication suggest, the bank attacks haven't been launched by just one individual, or using a single tool, but rather by multiple well-organized groups wielding a variety of tools, according to Prolexic.

"A blend of attack scripts and different techniques used in each campaign is another pointer to the likelihood that multiple, well-organized groups or individuals were behind these attacks," said Prolexic president Stuart Scholly in an emailed statement. The company has also found that the compromised servers used by attackers appear to have been taken over--again, using a variety of different toolkits and techniques--as far back as May 2012, which further suggests that the attack participants were diverse, and the exploits well-organized.

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/19/2012 | 9:23:45 AM
re: U.S. Bank Hacks Expand; Regions Financial Hit
Panetta used the attacks on ICS (Industrial Control Systems) as a warning to the US business community that similar attacks are imminent. It is also a calling for US business to embrace stalled cyber security legislation that has been bouncing around the House and Senate over the past 2+ years.

Companies have been reluctant, fearing legal repercussions for non-compliance and/or sharing sensitive information. And for those companies which worry about not complying with what is a pretty low bar of cyber security best practices -- too bad! They should be doing that already. I've long supported this cyber security bill and continue to do so -- now more than ever. HereGs another interesting article on this matter: http://blog.securityinnovation...
User Rank: Apprentice
10/15/2012 | 12:36:39 PM
re: U.S. Bank Hacks Expand; Regions Financial Hit
I guess you really don't care since it made sure I read your article and noticed a couple of your ads, but there is a bank in the USA called US Bank and your headline made it sound like this bank had been under attack for several days. This sort of poor headline wording could cause heart palpitations in people that are just returning to work from an 8 day, mostly disconnected, vacation in Florida.
User Rank: Apprentice
10/12/2012 | 5:47:48 PM
re: U.S. Bank Hacks Expand; Regions Financial Hit
Hello everyone,

According to the statement "Capital One spokeswoman Pam Garardo said via email that on Oct. 9, Capital One experienced intermittent access to some online systems due to a denial-of-service attack. She emphasized that other bank channels--branches, call centers, ATMs, as well as its ING Direct and HSBC credit card websites--were not affected, and that no customer or account information had been exposed. 'Online servicing channels were fully restored within a few hours,' she said." I had a different experience. I could not get my online information or do anything until the next day. I received emails from the system but that was all that I could do electronically.
User Rank: Ninja
10/12/2012 | 5:37:27 PM
re: U.S. Bank Hacks Expand; Regions Financial Hit
I wonder if the film is the real reason, or if it's a pretext. They could, after all, make the very same attacks on the pretext that they're U.S. banks and the U.S. is the Great Satan. They could even do it on the grounds that, like all western banks, they charge interest on loans, which Islam teaches is sinful.

8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.