Security Experts:

New DDoS Attacks Slam US Banks, Attackers Say Worst Is Yet To Come

After an almost one-month hiatus, five U.S.-based banks, U.S. Bancorp, JPMorgan Chase, Bank of America, PNC Financial Services Group, and SunTrust, are again being targeted for a series of denial of service (DoS) attacks.

In a Pastebin message posted on Monday, a hacker group called Izz ad-Din al-Qassam Cyber Fighters warned it would launch a series of distributed denial of service (DDoS) attacks against U.S. financial institutions this week, and named U.S. Bancorp, JPMorgan Chase, Bank of America, PNC, and SunTrust as its targets. Users started reporting problems accessing banking websites Tuesday evening, and some sites were still intermittently inaccessible on Wednesday afternoon.

Bank DDoS AttacksUsers started reporting Bank of America's Website was not loading beginning Tuesday morning, till about 3pm Eastern Wednesday, according to Sitedown.co. The site websitedown.com reported intermittent outages at SunTrust's site around noon on Tuesday. PNC took to Facebook and Twitter to keep customers informed of the attacks.

"PNC and other banks have experienced an unusual volume of internet traffic. As a result, some customers may experience slowness or difficulty when logging into online and mobile banking. We are working to resolve this issue as quickly as possible. Please continue to follow our page for additional updates. We apologize for the inconvenience and appreciate your patience," PNC posted on its Facebook page Tuesday evening.

Customers were still reporting issues late Wednesday afternoon, but the site seemed to returning to normal by the evening. There were no outage reports on Sitedown.co for US Bank, JPMorganChase or Suntrust as of this time.

"This new wave of attacks just picks up right where they left off," Stephen Gates, technology evangelist at Corero Network Security, told SecurityWeek.

The attackers are showing no signs of backing down, and—by publicly declaring their targets—are apparently becoming more emboldened, Gates said.  In the Pastebin message, the group promised even more severe attacks.

“In [the] new phase, the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks,” the group wrote.

Cyber AttacksThe attacks are evolving from high volume flood assaults to intricate application layer attacks, Gates said.

The group claimed responsibility for the first wave of attacks which affected ten financial institutions back in September and October. HSBC, Ally, BB&T, Wells Fargo and Capital One were also hit in the initial attacks but appear to not be targeted in the latest round.  All five banks in the current attacks were also targeted in the first series. An analysis by Radware found that the group was using compromised servers to launch DDoS attacks. Since servers in data centers generally have bigger bandwidth, the attacks were large enough to overwhelm network defenses.

The fact that some of the banks took to social media to warn customers about potential attacks this time around was "a sure sign that these hacktivists are beginning to hit a nerve," Gates said.

DDoS attacks are getting larger and more serious, to the point where Arbor Networks last month speculated about the possibility of a "DDoS Armageddon"—a distributed denial of service attack so big that it would take down the entire Internet. While many security experts dismissed the possibility as being highly unlikely, they acknowledged that the current waves of attacks are lasting longer and causing more damage. The first wave of attacks against the banks reached 100 Gbps, where just 5 to 10 Gbps is usually enough to take a site down, Jason Lewis, chief scientist at Lookingglass Cyber Solutions, said.

"DDoS attacks have the power to take down organizations for long amounts of time," Ziv Gadot, senior security analyst for Radware, told SecurityWeek at the time.

"Financial institutions must up their game," Gates said.

Related: Sophisticated DDoS Toolkit Used in Recent Bank Cyber Attacks

Related: Cyberattack Capable of Downing Entire Internet Is Unlikely  

Related: Hackers' Threatened Internet Shutdown Unlikely to Work

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.