On March 28, American Express' website went offline for at least two hours during a distributed denial of service attack. A group calling itself "the cyber-fighters of Izz ad-Din al-Qassam" claimed responsibility for the attack, which began at about 3:00pm Eastern Time.

In a statement, an American Express spokesperson said, "Our site experienced a distributed-denial-of-service (DDoS) attack for about two hours on Thursday afternoon...We experienced intermittent slowing on our website that would have disrupted customers' ability to access their account information. We had a plan in place to defend against a potential attack and have taken steps to minimize ongoing customer impact."

The American Express DDoS is part of a new wave of attacks started two weeks ago by the Izz ad-Din al-Qassam group, which launched a larger campaign targeting US financial institutions that began last September. The group's alleged goal is to force the take-down of an offensive YouTube video—or extract an ongoing price from American banks as long as the video stays up, which could be indefinitely.

These attacks are also part of a larger trend of disruptive and destructive attacks on financial institutions by apparently politically motivated groups, the most damaging of which was the attack on South Korean banks and other companies last week. It's a trend that has surprised some security analysts, considering that the financial industry has focused more on advanced persistent threat (APT) attacks and cyber-espionage in recent years.

Band of the Hand

Named after a Muslim cleric who led The Black Hand, an anti-British and anti-Zionist jihadist organization in the 1920s and 1930s, and sharing a name with the military wing of Hamas (which the group's statements claim it is tied to), Izz ad-Din al-Qassam has taken credit for a variety of attacks on US financial institutions over the past year, all allegedly in protest against the posting of trailers for the film The Innocence of Muslims on YouTube. Until the film is removed, the group said it would target "properties of American-Zionist Capitalists…This attack will continue till the Erasing of that nasty movie." [sic]

Unlike DDoS attacks waged by Anonymous in the past, the Izz ad-Din al-Qassam group has used scripts running on compromised Web servers to launch their attacks rather than "volunteer" desktop PCs or botnets of compromised Windows machines. That allows attacks to leverage larger amounts of available bandwidth.

So far, there have been three distinct phases of the group's attacks. Dan Holden, director of Arbor Networks’ Security Engineering & Response Team, told Ars in a phone interview that the previous two waves lasted between three and four weeks, with the group then taking a break—likely to do the work required to maintain their botnet of compromised servers and add to it as their existing bots are discovered and disabled.

And during the course of each attack phase, the group has been refining its attacks, as Ars' Dan Goodin reported earlier this year. In January, security firm Incapsula found a new variant of the group's attack tools, which spawned additional copies of itself on compromised servers to multiply the size of attacks.

There have been further refinements made to this approach in this latest wave, Holden said. "The biggest change is the maintenance and the growth in the botnet," he explained. "There has been a big investment on their part to keep the campaign growing. And they've added some twists and techniques to their tools as time goes on, focusing their attacks more on the particular applications of the banks they're targeting. Now there are particular tools being used for a specific set of banks."

That refinement is the result of months of analyzing the websites of the banks that Izz ad-Din al-Qassam has targeted. Holden said that during its past large-scale attacks the group also crawled the websites of its targets and used the intelligence collected during the attacks to learn more about their weaknesses.

Covering fire

While the Izz ad-Din al-Qassam group's attacks are apparently purely to disrupt banks' ability to do business, there is some concern that such denial-of-service attacks could be used as a cover for fraud activity by criminals operating botnets or using targeted attacks on banks to gain access to internal systems.

"Financial institutions are putting a lot of resources into countering DoS attacks," said George Tubin, senior security strategist at Trusteer, a firm that specializes in countering online financial fraud. "But what we have seen in the past is the use of DoS attacks to conceal a fraud attack. They create the perfect cover." While the banks' security resources are focused on trying to counter the DoS attack, he said, criminals could use other vectors to gain access to accounts and perform transactions in the background before they can be detected.

That's not to say that there's necessarily any collusion between the DoS attackers and any potential fraudsters, Tubin emphasized, although it was possible. "They could be coordinated, but they are also frequent enough and common enough that criminals could do their own targeted attack once they see a DoS on an institution."

Those targeted attacks are becoming increasingly costly to banks. An FBI fraud alert last September revealed that attackers had compromised several financial institutions by infecting the computers of employees with malware—including keyloggers and remote control software that allowed them to capture employees' passwords, access customers' accounts and make wire transfers ranging from $400,000 to $900,000.

A well-funded attack

Still, Holden said that it's unlikely that criminals are "coat-tailing" on the Izz ad-Din al-Qassam group's attacks just yet. "It would have to be one of the incidences where the attackers can tell the site is down, [but then they] wouldn't be able to get in anyhow. So it's not as likely."

But even if the group behind the attacks isn't profiting from them, Holden said it's clear that there are very real investments being made in their activities—maybe not in servers or hard assets, but in the form of countless hours of maintenance of the botnet by finding new servers to exploit, and further development of attacks.

"Regardless of who's behind this," Holden said, "it has to be funded at some level. Even if it's hacktivists, it's got to be funded hacktivism." That, he says, is because of both the amount of time dedicated to the attack, and to its ongoing refinement. "It's not that these are the most sophisticated things in the world," he explained, "but it has been getting more sophisticated, and it's growing."

The goal of the investment in the botnet hasn’t been to create the sort of massive DDoS launched on Spamhaus this week. Rather, Holden said, the goal seems to have "mainly been around being able to attack multiple targets. They're not interested in the biggest DDoS they can make—they're more interested in creating constant pressure to prove whatever they're trying to prove. They're in it for the long haul."