Security Experts:

Regions Financial, Capital One, SunTrust Hit In Latest Round of Bank DDoS Attacks

The distributed denial of service attacks against financial institutions continue, with Capital One, SunTrust, and Regions Financial being the latest victims.

Capital One Financial Corp was targeted on Tuesday in the latest round of coordinated attacks to disrupt the Websites belonging to major U.S. financial institutions, a spokesperson said in a statement. SunTrust was hit by a DDoS attack on Wednesday. As of Thursday afternoon, SecurityWeek was unable to access Regions Financial.

According to statistics and reports collected by the site IsItDownRightNow.com, Regions has been down since about 1 PM Eastern Thursday.

"We are experiencing an Internet service disruption that is intermittently impacting our customers’ ability to access our website or use our online banking service. We are working quickly to resolve this issue and regret any inconvenience customers may be experiencing," Evelyn Mitchell, a spokesperson for Regions bank, told SecurityWeek.

The latest attacks are part of a three-week campaign that began late September and have already disrupted operations at Bank of America, JPMorgan Chase, Wells Fargo, PNC, and U.S. Bank. Counting Capital One, SunTrust, and Regions, the attackers have targeted eight U.S. financial institutions by flooding banking Websites with higher than normal traffic volumes. The online group Izz ad-Din Al-Qassam have taken credit for the attacks.

"Tuesday 10/9/2012 : attack to Capital One Financial Corp site, capitalone.com. Wednesday 10/10/2012: attack to SunTrust Banks, Inc, suntrust.com. Thursday 10/11/2012 : attack to Regions Financial Corp site, regions.com," the group had warned online earlier this week.

Security experts have not linked the attacks to specific individuals yet.

Capital One's Website was also unavailable for a period of time over Tuesday, but SunTrust's Website managed to stay online during the attack period, according to IsItDownRightNow.com. It's not clear whether the attacks were less powerful against SunTrust or if the bank had prepared well enough for the online onslaught beforehand. SunTrust declined to comment on the attacks.

“At this point, we have no reason to believe that customer and account information is at risk,” CapitalOne had said in an earlier statement to Businessweek regarding the incident.

Regions had also told Businessweek earlier this week that it was taking measures to protect itself from the attack. “We are aware that the group claiming responsibility for these attacks has identified Regions as one of its targets," a spokesperson said, adding, “We take online security seriously and are taking every measure to protect the company and our customers.”

As SecurityWeek reported previously, the perpetrators appear to be using the 'itsoknoproblembro' toolkit to launch these attacks. Instead of a client-side botnet, it appears the DDoS attacks are taking advantage of compromised commercial servers in various data centers, according to an analysis by Radware. Taking over Web servers mean the attackers have a "higher view" of the Internet, and gives them more bandwidth and processing power to launch more devastating attacks with fewer machines.

These are very different from previous DDoS attacks that hacktivist groups have launched over the past year as they are using much more sophisticated techniques, Carl Herberger, vice president of security solutions at Radware, told SecurityWeek last week. The attacks are also flooding Websites with encrypted data that can bypass the targeted institution's firewalls, IPS, antivirus, and other security mechanisms, Herberger said.

The fact that attackers are using encrypted data to bypass security mechanisms could make these attacks the "first public example of an advanced evasion technique (AET) attack targeting a financial institution," Phil Lerner, vice-president of technology at Stonesoft, told SecurityWeek. AET is "especially dangerous" for the financial sector as extremely sensitive information is at stake, Lerner said.

Many AET attacks generally leave no trace to monitoring systems, logs, or other reporting tools, making it even more difficult to detect them when they are occurring, or after the fact. This makes it even more critical that financial institutions focus on a multi-layered defense, Lerner said. Each strategy must include telemetry and visibility at the edge for flow-based visibility, as well as anomaly detection to look for unusual patterns.

Active content that automatically invoke actions or trigger a response within a system can be a "potential death knell for the integrity" of the network, Lerner said. Institutions have to protect against triggered behaviors as well as implement strong authentication, authorization, and accounting.

"Digital and network forensics are particularly essential for dealing with DDoS in the financial sector. Both serve to provide added visibility, remediation and legal response capabilities. Lacking either process opens your financial enterprise to additional legal ramifications and a higher risk of repeated attacks," Lerner said.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.