Connect with us

Hi, what are you looking for?


Malware & Threats

Incapsula Uncovers Botnet Used in Bank DDoS Attacks

Cloud-based web security and infrastructure provider Incapsula says they identified a botnet that they believe was used distributed denial of service (DDoS) attacks against US-financial institutions last year.

Cloud-based web security and infrastructure provider Incapsula says they identified a botnet that they believe was used distributed denial of service (DDoS) attacks against US-financial institutions last year.

It all started when Incapsula’s security team detected an abnormal number of security events involving a new client’s website, according to the company’s blog. When Incapsula intercepted the requests, it discovered numerous requests with encoded PHP code payload operating a backdoor to the client’s site, Incapsula found.

Bank DDoS AttacksThe attackers were using the backdoor to use the small UK-based general-interest website as a bot taking part in a DDoS attack, Incapsula found. The site was receiving instructions to launch HTTP and UDP DDoS flood attacks against several U.S. banks, including PNC, HSBC and Fifth Third Bank.

Since Incapsula blocked the requests, it was difficult to gauge the scope of damage, but it was “safe to assume that it would be enough to seriously harm an average medium-sized Website,” Incapsula said.

Attackers prefer Web servers over personal computers to launch stronger DDoS campaigns, as the servers are generally stronger machines with access to higher bandwidth, Incapsula said. Last fall, Radware first identified a DDoS toolkit that was being used to compromise servers in data centers to launch attacks against banks. In this attack, the PHP code was designed to multiply itself to take advantage of the full capacity available on the server.

“It was potentially capable of producing much more traffic volume than a regular ‘old school’ botnet zombie,” Incapsula said.

Attackers were able to access these Web servers “through a security loophole in one of the sites,” Incapsula said. In this incident, it appears the general-interest site was already compromised before signing up for Incapsula’s services. The security team determined the site was breached because the administrator credentials were too simple: admin/admin.

“This is just another demonstration of how security in the Internet is always determined by the weakest link,” Incapsula said.

Advertisement. Scroll to continue reading.

The command-and-control server for this botnet turned out to be a Turkish e-commerce website. It appeared that much like the UK-site, this e-commerce site was also compromised by the attacker, whose location remains unknown.

“Simply neglecting to manage administrative password in a small site in the UK, can be very quickly be exploited by a Botnet shepherds operating obscurely out of Turkey to hurl large amounts of traffic at American banks,” Incapsula said.

The attacks instructions were precisely timed, limited for periods that varied from 7 minutes to an hour, Incapsula found. The bots were working in “shifts” to maximize its efficiency, according to Incapsula. The bot would renew the attack just as the target would start to recover. Sometimes the site received instructions to attack other unrelated commercial and e-commerce sites, making it likely this was a “botnet for hire,” the company said.

itsoknoproblembroA hacking group called Izz ad-Din al-Qassam had claimed responsibility for the wave of DDoS attacks which successfully disrupted operations for major banks such as Bank of America, JPMorganChase, PNC Bank, and HSBC late last year. During the course of the attacks, customers were unable to perform any online banking tasks.

While the banks have said the outages affected only the sites and that user accounts were not compromised, that appears to not be the case. “These DDoS attacks have in fact led to or been associated with fraud and customer account takeover,” said Gartner’s Avivah Litan.

The Office of the Comptroller of the Currency also acknowledged the attacks and issued a warning. The alert, issued by the nation’s banking regulator in December and addressed to the heads of national banks, federal branches and agencies, technology service providers, and other related organizations, warned about the wave of DDoS attacks against banking websites.

“Each of these groups had different objectives for conducting these attacks, ranging from garnering public attention to diverting bank resources while simultaneous online attacks were underway and intended to enable fraud or steal proprietary information,” the alert said.

Related: Sophisticated DDoS Toolkit Used in Recent Bank Cyber Attacks

Related: Cyberattack Capable of Downing Entire Internet Is Unlikely  

Related: Hackers’ Threatened Internet Shutdown Unlikely to Work

Related: DDoS Toolkit Being Used in Synchronized Attacks Against Banking, Hosting and Energy Firms

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...