Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Bank Site Attacks Trigger Ongoing Outages, Customer Anger

Who's really behind the recent bank DDoS attacks? They are more diverse and powerful than previously seen hacktivist campaigns, security experts say.

Over the past two weeks, the websites of multiple financial institutions--including Bank of America, JPMorgan Chase, PNC, U.S. Bank, and Wells Fargo--have been targeted by attackers, leading to their websites being disrupted. Furthermore, some banks appear to still be suffering related outages.

That's led more than 1,000 customers of those institutions to file related complaints with Site Down, a website that tracks outages. Customers have reported being unable to their access checking, savings, and mortgage accounts, as well as bill-paying and other services, via the affected banks' websites and mobile applications.

Many of the banks' customers have also criticized their financial institutions for not clearly detailing what was happening, or what the banks were doing about it. "It was probably the least impressive corporate presentation of bad news I've ever seen," Paul Downs, a small-business owner in Bridgeport, Pa., told The New York Times, where he's also a small-business blogger.

A hacktivist group calling itself the Cyber fighters of Izz ad-din Al qassam has taken credit for the attacks, which it's dubbed Operation Ababil, meaning "swarm" in Arabic. It said the attacks are meant to disrupt U.S. banking operations in retaliation for the release of the Innocence of Muslims film that mocks the founder of Islam.

[ Learn how Iran is reacting to that controversial movie, released on YouTube. See Iran Removes Gmail Block. ]

Some of the attacked banks' websites still appear to be experiencing outages, but Dan Holden, director of security for the Arbor Security Engineering and Response Team, said he's seen no signs that any active attacks are currently underway. "Obviously, we're only one day into the week, but we didn't see anything yesterday, and while [the Cyber fighters of Izz ad-din Al qassam] said in the previous post that they'd be working over the weekend, there haven't been any new posts stating that they'd be doing new attacks," he said.

Tuesday, however, multiple Wells Fargo customers were still reporting that they were having trouble accessing the bank's website, or getting it to respond after they'd logged in. "Day 8, still can't get in with Safari or Firefox ... getting old. I have a business to run here," said an anonymous poster to Site Down. "This is getting old," said another.

Asked to comment on reports that the bank's website was continuing to experience outages, a spokeswoman for Wells Fargo repeated a statement released last week, saying via email that "customers can access their accounts through the online and mobile channels."

Multiple Bank of America customers Tuesday also reported problems with the bank's website, with some people saying they'd been experiencing disruptions for 10 days or more. "I agree ... with all the other comments about this problem of being unable to go on line. What in the world is going on--get it fixed!" said an anonymous user Sunday on the Site Down website. But Bank of America spokesman Mark T. Pipitone said via email that the bank's website has been working normally since last Tuesday, and suggested that the scale of any reported website problems was within normal parameters. "We service 30 million online banking customers," he said. "Our online banking services have been, and continue to be, fully functional."

Given attackers' advance warning that they planned to take down the banking websites--which suggested that they'd launch distributed denial-of-service (DDoS) attacks, why didn't banks simply block the attacks? As one PNC customer said in an online forum, "Come on PNC! Never heard of content delivery networks to make these attacks more difficult?? ... Please invest in a more capable network security team and take care of your customers!"

But Arbor's Holden, speaking by phone, said that the attackers had used multiple DDoS tools and attack types--including TCP/IP flood, UDP flood, as well as HTTP and HTTPS application attacks--together with servers sporting "massive bandwidth capacity." So while the attacks weren't sophisticated, they succeeded by blending variety and scale.

Given the massive bandwidth used in the attacks, were they really launched by hacktivists, which is what the attackers have claimed they are? Former U.S. government officials, speaking anonymously to various media outlets, have instead directly accused Iran of launching the attacks. Regardless of whether Iran is involved, Holden said that the bank attacks don't resemble previously seen hacktivist attacks, which typically involved botnets of endpoint-infected PCs, or people who opted in to the attack, for example by using the Low Orbit Ion Canon JavaScript DDoS tool from Anonymous.

"With Anonymous ... you'd see those people coming together and launching an attack with a given tool," Holden said. "With this, yes, you're seeing multiple types of attacks, multiple tools, and while blended attacks are common, they're not so common with classic hacktivism, or hacktivism that we've witnessed in the past."

In other words, "we don't know whether it's hacktivism or whether it's not," said Holden. "There's nothing really backing up the advertisement that this was a bunch of angry people. If it is, it's people who have gone out with a particular skill set, or hired someone with a particular skill set, to launch these particular attacks." But whoever's involved in these attacks has quite a lot of knowledge related to the art of launching effective DDoS website takedowns, and has access to high-bandwidth servers, which they've either compromised, rented, or been granted access to.

Interestingly, the attackers do appear to have taken a page from the Anonymous attack playbook. "We don't have all the information about which specific techniques have been used against the U.S. banks so far, but the 'Izz ad-Din al-Qassam Cyber Fighters' scripts are based on the JS LOIC scripts used by Anonymous as well," said Jaime Blasco, AlienVault's lab manager, via email.

But like Holden, Blasco said that the bank website attackers had used much more than just JavaScript. "The number of queries/traffic you need to generate to affect the infrastructure of those targets is very high," he said. "To affect those targets, you need thousands of machines generating traffic, and ... other types of DDoS."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
banklook
50%
50%
banklook,
User Rank: Apprentice
10/8/2012 | 9:54:49 PM
re: Bank Site Attacks Trigger Ongoing Outages, Customer Anger
@Moarsauce: you're generally right, except banks are each different, some work harder than others. For example, tdbank.com and everbank.com score higher CloudPower scores than any of the banks affected during the attacks last week. Banks are generally old-fashioned and are sort of late to the 'let's do this online' party. You can see yourself at banklook.com.

-Eric
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
10/6/2012 | 1:48:46 PM
re: Bank Site Attacks Trigger Ongoing Outages, Customer Anger
Welcome to the cloud. This is the sole reason why I don't bank with online only banks. The customers of the affected banks at least have an option to find a branch office and do business there, although it is less convenient. Try that with ING Direct or others. As a customer should I drive to the data center and start talking to the server?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...