DDoS: Citi Takes Post-Holiday Hit

Hacktivists Announce Plans for Year-End Bank Attacks

After hacktivists announced in a Christmas Day Pastebin post plans for a third week of bank attacks, Citigroup reported site interruptions Dec. 26 that struck during the late afternoon.

See Also: Move Beyond Passwords

Citi spokesman Andrew Brent did not attribute the online-banking access issues to high volumes of traffic, as is typical in a distributed-denial-of-service attack, saying that the bank does not disclose details about IT infrastructure issues.

"Citi is experiencing interruptions in the availability of some of its websites," Brent said just after 7 p.m. ET Dec. 26. "We are actively working to resolve the situation as soon as possible. We apologize to customers for the inconvenience."

By 11 p.m. ET, the bank's sites were back up and fully accessible. "We worked to resolve the situation in a matter of hours and continue to monitor online activity," Brent said.

No specific targets were named in the hacktivists' Dec. 25 announcement of plans for another week of attacks, part of a second campaign of DDoS hits. But the hacktivist group Izz ad-Din al-Qassam Cyber Fighters did note that attacks will be widespread and of the same magnitude as attacks waged in previous weeks. Attacks will continue, the group says, until a YouTube video deemed by hacktivists to be offensive to Muslims is removed.

"American dominant authorities, without any attention to these protests and in a discriminatory manner, have done nothing to remove that offensive video," the Izz ad-Din al-Qassam post states. "All conscious and impartial people know that it is very easy for American rulers to remove the video, but apparently they are looking for something else behind this insult. ... We suggest that U.S. government and the banks should seek a logical and easy solution instead of spending big to deal with these attacks."

Banks' Defenses Improving?

Since Dec. 10, when Izz ad-Din a-Qassam Cyber Fighters announced its second wave of attacks, PNC Financial Services, U.S. Bancorp, Bank of America, Wells Fargo and BB&T have confirmed intermittent site issues related to large volumes of online traffic. The latest DDoS attacks, following a Dec. 17 warning from the hacktivist group, struck Dec. 20 and affected only PNC and Wells Fargo.

Online outages and site-access issues suffered by these targeted institutions have been less impactful than they were during the first campaign, which ran from mid-September to mid-October, experts say.

That weakened impact may be attributed to a mix of factors, experts say. Improved defenses, for example, could be playing a role, suggests financial fraud expert Avivah Litan of Gartner Research.

"Most banks' network teams are making rapid adjustments to the configurations of their networks, so they can better withstand these attacks," Litan says. "These adjustments are definitely helping for now."

Litan says fraud teams also are enhancing their strategies, "so more is automated and independent of staff attention, which is diverted during these attacks."

The Office of the Comptroller of the Currency on Dec. 21 issued a warning to banking institutions about DDoS diversions used to mask fraud. OCC spokesman Bill Grassano says the groups behind DDoS may shift tactics and targets, so banks must rely more heavily on information sharing with peers to ensure they know the patterns to watch.

"Banks need to have a heightened sense of awareness regarding these attacks and employ appropriate resources to identify and mitigate the associated risks," he says. "Preparations may include ensuring sufficient staffing for the duration of DDoS attacks in conjunction with pre-contracted third-party servicers that can assist in managing the Internet-based traffic flow."

On Dec. 10, Izz ad-Din al-Qassam identified BofA, JPMorgan Chase, PNC, U.S. Bancorp and SunTrust Banks as the primary targets for its second DDoS campaign (see 5 Banks Targeted for New DDoS Attacks).

Until then, attacks had subsided since the first wave, which targeted those five banks, as well as Wells Fargo, Regions Bank, HSBC Holdings, BB&T Corp. and Capital One.

DDoS expert John Walker, who also serves as the chairman of ISACA's Security Advisory Group in London, says the sporadic nature of the attacks is intentional. Hacktivists don't want to be too predictable, he says.

Walker also says he's not convinced that banks have made many improvements in their abilities to deflect DDoS attacks. The most recent attacks have had less of an impact than earlier ones, he says, not because of improved defenses but because traffic associated with the most recent attacks has been lower.

"What we are seeing this year is just a tip in the ocean of what is planned for 2013," Walker says. "Are banks getting better at defending against DDoS? Possibly, yes. But they can only hold the water back so long."