Attacks/Breaches
10/12/2012
10:42 AM
Connect Directly
RSS
E-Mail
50%
50%

U.S. Bank Hacks Expand; Regions Financial Hit

Attacks by self-described Muslim hackers, now in their fourth week, hit Regions Financial Thursday. Hacking campaign has also disrupted Capital One and SunTrust banking websites.

Regions Financial Thursday became the latest U.S. bank to have its website attacked and disrupted by self-described Muslim hackers, as part of their ongoing "Operation Ababil" online attack campaign.

"We are experiencing an Internet service disruption that is intermittently impacting our customers' ability to access our website or use our online banking service," said Regions Financial spokesman Mel Campbell Thursday in a statement, according to news reports. "We are working quickly to resolve this issue and regret any inconvenience customers may be experiencing."

Early Friday morning, the Regions website appeared to still be inaccessible, but by later in the day, it appeared to once again be available. A spokesman for Regions didn't immediately respond to an emailed query about exactly when the attack against the bank's website had begun, or how long it had lasted.

[ Hackers aren't always motivated by money. Read more at How Cybercriminals Choose Their Targets. ]

The Regions website disruption followed similar distributed denial-of-service (DDoS) attacks launched against the websites of Capital One on Tuesday, and SunTrust on Wednesday.

Capital One spokeswoman Pam Garardo said via email that on Oct. 9, Capital One experienced intermittent access to some online systems due to a denial-of-service attack. She emphasized that other bank channels--branches, call centers, ATMs, as well as its ING Direct and HSBC credit card websites--were not affected, and that no customer or account information had been exposed. "Online servicing channels were fully restored within a few hours," she said.

In the case of SunTrust, Fox Business reported Wednesday that when attempting to log on, some customers have been complaining of receiving one of two error messages: 'Server Unavailable' or 'Server is too busy. According to news reports, a SunTrust spokesman said Wednesday, "We have seen increased traffic today and have experienced some intermittent service availability."

As of Friday, however, the bank's website appeared to be fully accessible. SunTrust spokesman Mike McCoy, when asked via email about exactly when the attacks had begun and ended, replied, "We are not commenting further on the matter as we typically don't comment on security-related matters."

As with recent similar attacks, all three bank attacks had been announced in advance via a Pastebin post--the latest uploaded Monday--by a group calling itself the Izz ad-Din al-Qassam Cyber Fighters.

According to The New York Times, the name of the hacking--or hacktivist--group references "Izz ad-Din al-Qassam, a Muslim holy man who fought against European forces and Jewish settlers in the Middle East in the 1920s and 1930s." The hackers said they've launched their banking attacks in retaliation for the release of the "Innocence of Muslims" film that mocks the founder of Islam. A 13-minute clip of the film was uploaded last month to YouTube.

The film has been attributed to Nakoula Basseley Nakoula (a.k.a. Mark Basseley Youssef), 55, who appeared Wednesday in Los Angeles U.S. District Court. Federal prosecutors had accused Nakoula of eight violations of his probation, stemming from a 2010 conviction on bank fraud charges, which could see him returned to prison for two years. He was arrested Sept. 28 for the alleged parole violations, which include using aliases, using a computer without supervision, and lying to his probation officer. But in his court appearance, Nakoula denied all of the charges against him. He's next due back in court Nov. 9.

Attackers' apparent motivations aside, do the bank website disruptions herald a new era in online attacks? "A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyze the nation," said Secretary of Defense Leon Panetta Thursday, in a speech at a black-tie event held by the Business Executives for National Security on the Intrepid Sea, Air and Space Museum in New York.

"In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called 'distributed denial-of-service' attacks," he said. "These attacks delayed or disrupted services on customer websites. While this kind of tactic isn't new, the scale and speed was unprecedented."

But security firm Prolexic, which has been tracking the tools and techniques used in the banking website disruptions, begged to differ with Panetta's analysis. "These are big, but we've seen this big before," said Neal Quinn, chief operating officer of Prolexic, told Wired. "We've seen events this big in the past."

Still, the attacks have been notable because even with attackers' prior warning, they've managed to disrupt the websites of some of the country's largest financial firms, including Bank of America, JPMorgan Chase, PNC, U.S. Bank, and Wells Fargo. As that skill and sophistication suggest, the bank attacks haven't been launched by just one individual, or using a single tool, but rather by multiple well-organized groups wielding a variety of tools, according to Prolexic.

"A blend of attack scripts and different techniques used in each campaign is another pointer to the likelihood that multiple, well-organized groups or individuals were behind these attacks," said Prolexic president Stuart Scholly in an emailed statement. The company has also found that the compromised servers used by attackers appear to have been taken over--again, using a variety of different toolkits and techniques--as far back as May 2012, which further suggests that the attack participants were diverse, and the exploits well-organized.

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
10/19/2012 | 9:23:45 AM
re: U.S. Bank Hacks Expand; Regions Financial Hit
Panetta used the attacks on ICS (Industrial Control Systems) as a warning to the US business community that similar attacks are imminent. It is also a calling for US business to embrace stalled cyber security legislation that has been bouncing around the House and Senate over the past 2+ years.

Companies have been reluctant, fearing legal repercussions for non-compliance and/or sharing sensitive information. And for those companies which worry about not complying with what is a pretty low bar of cyber security best practices -- too bad! They should be doing that already. I've long supported this cyber security bill and continue to do so -- now more than ever. HereG«÷s another interesting article on this matter: http://blog.securityinnovation...
majenkins
50%
50%
majenkins,
User Rank: Apprentice
10/15/2012 | 12:36:39 PM
re: U.S. Bank Hacks Expand; Regions Financial Hit
I guess you really don't care since it made sure I read your article and noticed a couple of your ads, but there is a bank in the USA called US Bank and your headline made it sound like this bank had been under attack for several days. This sort of poor headline wording could cause heart palpitations in people that are just returning to work from an 8 day, mostly disconnected, vacation in Florida.
caseyf5
50%
50%
caseyf5,
User Rank: Apprentice
10/12/2012 | 5:47:48 PM
re: U.S. Bank Hacks Expand; Regions Financial Hit
Hello everyone,

According to the statement "Capital One spokeswoman Pam Garardo said via email that on Oct. 9, Capital One experienced intermittent access to some online systems due to a denial-of-service attack. She emphasized that other bank channels--branches, call centers, ATMs, as well as its ING Direct and HSBC credit card websites--were not affected, and that no customer or account information had been exposed. 'Online servicing channels were fully restored within a few hours,' she said." I had a different experience. I could not get my online information or do anything until the next day. I received emails from the system but that was all that I could do electronically.
jries921
50%
50%
jries921,
User Rank: Apprentice
10/12/2012 | 5:37:27 PM
re: U.S. Bank Hacks Expand; Regions Financial Hit
I wonder if the film is the real reason, or if it's a pretext. They could, after all, make the very same attacks on the pretext that they're U.S. banks and the U.S. is the Great Satan. They could even do it on the grounds that, like all western banks, they charge interest on loans, which Islam teaches is sinful.

Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.