More DDoS Attacks on the Way?

Hacktivists Claim Three Banks Recently Hit

The hacktivist group Izz ad-Din al-Qassam Cyber Fighters is claiming it waged online attacks against three banks last week. And it's yet again warning of more distributed-denial-of-service attacks to come.

See Also: Top 5 Log Sources You Should Be Ingesting but Probably Aren't

In a Jan. 22 posting on the open forum Pastebin, the group claimed it attacked PNC Financial Services Group, Fifth Third Bank and JPMorgan Chase & Co. last week.

"We have repeatedly stated that removal of the offensive video, Innocence of Muslims, from YouTube is the simplest solution to stop the cyber-attacks," the hacktivists state. "You want to continue playing the game, yes?"

In a Jan. 8 post, Izz ad-Din al-Qassam Cyber Fighters suggested its attacks would be waged for 56 additional weeks, based on a series of numerical sequences developed from tallied likes and dislikes affiliated with the YouTube video, which it claims is offensive to Muslims. But in its most recent post, the group says the attacks could continue even longer, based on updated totals affiliated with those likes and dislikes. And the group contends that each minute of a DDoS attack is costing U.S. banks $30,000.

Length of Attacks Concerning

The DDoS attacks have plagued U.S. banks since mid-September, when the hacktivists' first campaign struck. But experts say banking institutions have improved their efforts to stave off online outages in the second DDoS campaign, which began in mid-December (see Are Banks Winning the DDoS Battle?).

So far, the hacktivist group has claimed attacks against PNC, BB&T Corp., Fifth Third, Bank of America, Chase, Citigroup, Wells Fargo, U.S. Bancorp, CapitalOne, HSBC, Ally Bank, SunTrust Banks, Regions Financial Corp. and Zions Bancorp.

In recent weeks, most of those institutions have either declined to comment about strikes against their sites or have suggested the increased traffic has minimally affected their customers.

Banks Improving Defenses

Keynote Systems Inc., an Internet and mobile cloud testing and monitoring firm that tracks online traffic, reported Jan. 17 that outages affecting U.S. banking websites have declined in recent weeks. Keynote tracks site availability statistics for all leading U.S. financial institutions and other companies across numerous industries.

Ben Rushlo, Keynote's director of performance management, told BankInfoSecurity that banks have done a better job of maintaining site availability. Since mid-December, the banks' average site availability rate has been 97.21 percent. By comparison, during the first campaign, the average availability rate was 94.86 percent.

But how long banks can maintain their defenses is uncertain.

Dan Holden, director of the security engineering research team for DDoS-prevention provider Arbor Networks, says the longevity of the attacks suggests Izz ad-Din al-Qassam is not acting alone. "Even if it is hacktivism, there is some serious backing of it, mainly because of the investment it takes to keep it going," he says.

That kind of financial backing is concerning, Holden adds, because it means the attacks could go on indefinitely. And the longer the attacks run, the bigger the botnet grows.

"They are taking over more servers and launching their attacks from more places," Holden says. "The longer the campaign goes on, and more cleanup effort that is occurring, the more the attackers are working to be out in front."

Some observers have speculated that Iran is backing the DDoS strikes against banks as payback for cyberespionage attacks, such as Stuxnet, Flame and Duqu, that have over the last three years affected Iranian computer systems. But others, like Holden, aren't so sure. "We've seen no proof that these attacks are backed by Iran," Holden says, and the highly publicized nature of these attacks is not typical of cyberwar activity. "Look at Stuxnet and Flame," he says. "Those were never supposed to be discovered."

For more information about the recent DDoS strikes against U.S. banks, see:

DHS Helping with DDoS Defense

DDoS: It's About Internet Insecurity

FS-ISAC on DDoS, Account Takeover

And learn more about DDoS from these webinars: