Hacktivists Suspend DDoS Attacks

Group Says No New Hits Against Banks Planned

The hacktivist group Izz ad-Din al-Qassam Cyber Fighters announced Jan. 29 that it is suspending its second campaign of distributed-denial-of-service attacks against U.S. financial institutions.

See Also: Move Beyond Passwords

In a post on the open forum Pastebin, the group says it's suspending attacks because YouTube has partially removed a film it deemed offensive to Muslims. Izz ad-Din al-Qassam has repeatedly claimed the offensive YouTube video was the catalyst for the attacks against U.S. banks.

"Well, after a while a little bit of rationalism was seen and the main copy of the insulting movie was removed from YouTube," the group states in its post. "The al-Qassam cyber fighters lauds this positive measure of YouTube and on this basis suspends this operation and plans to give a time to Google and U.S. government to remove the other copies of film as well. During the suspension of Operation Ababil, no attack to U.S. banks would take place by al-Qassam cyber fighters."

The post goes on to state that YouTube's removal of some of the film's copies "is a clear indication of progress" and "a humanitarian effort."

"All of us - al-Qassam group, U.S. government, and even YouTube and Google's managers - carrying on such a wise action - have contributed to this victory and progress," the post states.

Izz ad-Din al-Qassam Cyber Fighters claims it had planned attacks against 10 banks starting Jan. 29, the eighth week of attacks to be waged during this second DDoS campaign, which began in mid-December. Those plans have been canceled, the group now says.

Smaller Recent Targets

Last week, the hacktivists shifted their targets, and took aim at smaller institutions - a fact noted in the Jan. 29 Pastebin post and verified by other industry sources.

Among the institutions targeted last week, according to the Pastebin post, were: Wells Fargo & Co., Bank of America, Bank of the West, BB&T Bankcorp, Spanish banking group BBVA, Capital One, Citibank, RBS Citizens Financial Group Inc. [dba Citizens Bank], Comerica Bank, Fifth Third Bank, First Citizens Bank, Harris Bank, Huntington Bank, JPMorgan Chase & Co., Key Bank, M&T Bancorp, Patelco Credit Union, People's United Bank, PNC Financial Services Group, Regions Financial Corp., Synovus Financial Corp., UMB Bank, Upqua Bank, Union Bank, University Federal Credit Union and Zions Bank.

One banking executive, who asked not to be named, says the attacks last week proved the group was casting a wider DDoS net, proving smaller institutions need to enhance their defenses.

"The fact that they went downstream to target some of these smaller institutions is what stands out," the executive says. "All of the banks that I talked to said the same thing. These hits were big enough to be an annoyance, but small enough to be manageable."

The hacktivist group had previously pre-announced plans to strike specific institutions through posts on Pastebin. But the institutions targeted in most of the recent attacks, including those waged last week, were not named in advance.

Institutions' Response

Although several community and mid-tier institutions were hit by DDoS last week, only Huntington Bank, UMB, Key Bank and Comerica responded to BankInfoSecurity's request for details about DDoS attacks or abnormal volumes of traffic.

Huntington Bank spokeswoman Maureen Brown on Jan. 28 said the bank suffered intermittent site issues last week, and some customers have continued to experience trouble accessing the site.

"Huntington, like many other U.S. banks, is periodically experiencing high-volume electronic traffic that may temporarily affect online banking access for some customers," Brown said. "We encourage customers who have difficulty logging onto online banking or accessing the website on the first attempt to try again later. We are taking appropriate action to address the issue."

UMB spokeswoman Kelli Christman acknowledged on Jan. 28 that the institution's online-banking site, along with other U.S. institutions' sites, suffered intermittent access issues last week that the bank linked to DDoS. So far this week, the issues have subsided, she said.

"At no time was any customer information or data compromised during the outage," she added. "Our transactional systems were unaffected, and we were able to restore service within a few hours. Our customers' privacy and security is of utmost importance to us, and we will continue to monitor the situation to ensure minimal disruption going forward."

Key Bank also confirmed on Jan. 28 it had site issues last week, again linked to DDoS. But spokeswoman Lynne Woodman stressed that the disruptions, which have not been affecting the site this week, were minimal.

"At no time were our systems down or compromised. The issue was strictly one of access, which was hampered by all the bogus messages trying to clog our access channels," she said.

And Wayne Mielke, spokesman for Comerica, did not comment about whether the bank's site took a DDoS hit, but he confirmed that Comerica was enhancing its online defenses. "We are well aware of recent cyber-attacks against banks and, as a result, have stepped-up our defense and monitoring systems to respond to current and potential threats," he said.

Though BankInfoSecurity did not receive comments or confirmations from other targets named in the Pastebin post, Ben Rushlo, director of performance management for online-performance tracking company Keynote Systems Inc., says CapOne, Citizens Bank, HSBC, Regions and Barclay Card, which was not listed, all suffered from "major" online access issues last week. Keynote does not track or investigate the causes behind site outages and inaccessibility issues, Rushlo says (see Are Banks Winning the DDoS Battle?).

Attacks Connected

The banking executive, who asked to remain anonymous, says there is little doubt the most recent attacks were waged by the same group that has been targeting leading institutions since the fall. "The [traffic] patterns looked very similar," the executive, whose institution was affected last week, says.

The recent attacks were smaller, with traffic just more than 1 gigabyte, the executive says. Comparatively, attacks waged during the first campaign, which ran from mid-September to mid-October, were approximately 100 gigabytes. "These were dumbed-down attacks, by comparison," the executive notes. "These newest attacks were just brute force to overwhelm the institutions' resources. Once they were stopped, they went away."

Thus, the most recent attacks were not too damaging, the executive says. "It looked like everybody got hit hard for about an hour, so some things were unavailable for a short period. But the attack on any institution lasted less than three hours. This was about intermittent issues versus a wholesale outage."

Other institutions that have been targeted since the DDoS attacks began in mid-September include Ally Bank, Citigroup, SunTrust Banks and U.S. Bancorp.