Security Experts:

U.S. Banks Back Under DDoS Fire

After less than a six-week hiatus, attackers have resumed their distributed-denial of service attacks against U.S. financial institutions.

Last week, the cyber-group calling itself Izz ad-Din al-Qassam Cyber Fighters, threatened to launch a new wave of attacks against banks this week. "During running Operation Ababil Phase 3, like previous phases, a number of American banks will be hit by denial-of-service attacks three days a week on Tuesday, Wednesday, and Thursday during working hours," according to a post on text-sharing site Pastebin.

The warning came after a series of attacks targeted Bank of America, PNC Bank, CapitalOne, Zions bank, 5/3, Inionbank, Comerica, Citizenbank, Peoples, UFCU, Patelco, "and others," on Feb. 25. Yesterday and today, customers of PNC Bank, Wells Fargo, Citibank, Bank of America, and a number of other banks reported being unable to access their bank Websites and online banking pages, according to information compiled by sitedown.co.

While the attackers initially targeted some of the largest financial institutions in the U.S., mid-tier institutions, community banks, and credit unions were also targeted in late January.

The same group had claimed responsibility for the earlier round of DDoS attacks that targeted U.S. banks the second half of last year. Those attacks had been unprecedented in size, sending upwards of 80 Gb/sec to 100 Gb/sec of traffic against the banking infrastructure. Previously, attacks traditionally topped out at 10 GB/sec. The attackers had also combined multiple attack techniques, making it harder for defenders to successfully filter out the malicious traffic.

Financial institutions need to take the attacks seriously and step up their defenses to defend against these new class of attacks, Marty Meyer, president of Corero Network Security, told SecurityWeek. DDoS attacks are no longer just simple flooding attacks; attackers are increasingly targeting the application layer and consuming server resources, Meyer said.

Radware researchers discovered back in October the attackers were using automated toolkits such as itsoknoproblembro to launch their attacks. Researchers also identified a handful of Web servers the attackers had compromised and was using to launch high-volume attacks. The compromised Web servers meant the attackers had a big broadband pipe to overwhelm target sites.

In a report released late January, Gartner analyst Avivah Litan forecast that 25 percent of all DDoS attacks will attack the application layer. Application attacks are generally more complicated and harder to defend against than typical flooding attacks.

"A new class of damaging DDoS attacks and devious criminal social-engineering ploys were launched against U.S. banks in the second half of 2012, and this will continue in 2013 as well-organized criminal activity takes advantage of weaknesses in people, processes and systems," Litan said back in January when the report was released.

All the financial institutions hit in the previous wave of attacks claimed customer data was not impacted and no fraudulent activity had been detected. As soon as the attacks ended, the sites were back online without any further issues.

Considering the same banks were getting hit in each wave and there were still being affected shows that financial institutions are still trying to catch up and figure out how to defend their networks from these kind of attacks, Meyer said. Even the attackers may be a little surprised that their campaigns continue to still work, Meyer said.

The National Credit Union Administration issued an alert on Feb. 21 which warned financial institutions that DDoS attacks are often used to distract IT teams from noticing fraudulent transactions or stealing customer information. The NCUA recommended banks conduct ongoing assessments and add DDoS mitigation strategies to their incident response programs. Bank of the West was hit by a different DDoS attack in December and over $900,000 were drained from an account, according to a report by Brian Krebs on Krebs on Security.

 "Credit unions should voluntarily file a Suspicious Activity Report if an attack impacts Internet service delivery, enables fraud, or compromises member information," the NCUA said in its alert.

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.