Izz ad-Din al-Qassam Cyber Fighters’ so-called Phase 4 of distributed-denial-of-service attacks against major U.S. banks hasn’t stalled, it’s just been ineffective at disrupting online availability, security experts say
The latest attacks have been sporadic and seemingly less targeted. U.S. banking institutions, which have been under attack since September 2012, have adapted their defenses, making their online-banking sites hard to take down, experts say.
But Brobot, the botnet used by al-Qassam Cyber Fighters, is still active; it targeted banking institutions as recently as last week, says John LaCour, CEO of cybersecurity and intelligence firm PhishLabs.
“PhishLabs can confirm that we detected QCF [Qassam Cyber Fighters] related DDoS attacks on Wednesday [Aug. 14] and Thursday [Aug. 15],” LaCour says. “Three large banks were attacked that we have seen targeted previously.”
LaCour would not name the banks that were hit. He did say, however, attacks last week were linked to Brobot, and that Brobot still appears to be controlled by al-Qassam.
Experts say they don’t feel Brobot has been leased out for hire, and that al-Qassam is still the group using the botnet against banks.
Disruptions at 2 Banks
JPMorgan Chase and Citigroup suffered intermittent online disruptions last week, according to Fox Business. Neither one of those banking institutions responded to Information Security Media Group’s request for comment. But according to tweets posted last week, Chase and Citi both acknowledged suffering site issues Aug. 15.
“We’re experiencing issues with our website and Chase mobile,” Chase tweeted. “We apologize for the inconvenience. Please stay tuned for updates.”
In its tweet, Citi said: “We are aware of system issues at this time. We are working to get the issue resolved.”
Keynote, an online and mobile cloud testing and traffic monitoring provider, confirms both banks’ online banking sites did experience intermittent issues Aug. 15. But the cause of those online interruptions is not known, says Keynote’s Aaron Rudger.
“The Chase banking website appears to have been unavailable from 8:55 a.m. ET until 10:21 a.m. ET,” he says. “Our monitoring agents reported DNS [Domain Naming System] lookup errors throughout that period, across the U.S.”
DNS is the system that translates a website’s name, such as www.chase.com, into an Internet protocol address that’s assigned to a Web server for that site, Rudger explains.
“Our monitoring agents did observe only a very small number of errors trying to download the Citibank homepage, starting at 12:52 p.m. ET,” he adds. “But that only lasted until 1:09 p.m. ET.”
But other experts who asked to remain anonymous say the outage at Citi was not linked to Brobot; it was an internal technical issue.
What’s Next for Brobot?
Because attacks against banks are increasingly ineffective, some question what’s next for Brobot.
Rodney Joffe, senior technologist at DDoS-mitigation provider Neustar, believes the attacks against banks are nearing an end. What’s next is anyone’s guess, he adds. But Joffe and others have suggested Brobot will likely soon be used to target other industries, especially those impacting critical infrastructure.
The attackers will take aim at other targets to avoid admitting their campaign has been a failure, some suggest.
“We’ll start to see disruptions that cause a little more fear in the U.S. public,” Joffe says. “We have heard about the compromise of water systems in small towns. I wouldn’t be surprised if we really start to see attacks like that.”