Six leading U.S. banking institutions were hit by distributed-denial-of-service attacks on March 12, the largest number of institutions to be targeted in a single day, says security expert Carl Herberger of Radware.
The attacks are evolving, and the bot behind them, known as Brobot, is growing, he adds. This recent wave of DDoS attacks has proven to be the most disruptive among the campaigns that date back to September, says Herberger, vice president of security for the anti-DDoS solutions provider.
“The Brobot has grown, the infection rate has increased, and the encrypted attacks have become more refined,” Herberger says. “As a result, it all is more effective. They’ve clearly gotten better at attacking more institutions at once.”
Radware offers DDoS-mitigation tools to several high-profile clients, including U.S. banking institutions targeted in the recent attacks, Herberger says. As a result, the company has insights about numerous industrial sector attacks as well as online traffic patterns.
Herberger declined to name the institutions affected, citing Radware’s non-disclosure agreements. But according to online traffic patterns collected by Internet and mobile-cloud testing and monitoring firm Keynote Systems Inc., JPMorgan Chase & Co., BB&T and PNC Financial Services Group suffered online outages on March 12. The three banks declined to comment about the attacks or confirm whether they had been targeted this week.
Chase, however, acknowledged an online disruption in a March 12 post to the Chase Twitter feed. The post states: “*ALERT* We continue to work on getting Chase Online back to full speed. In the meantime, pls. use the Chase Mobile app or stop by a branch.” On March 13, the bank came back with this tweet: “We’re sorry it was such a rough day and we really appreciate your patience.”
Phase 3 Attacks
The hacktivist group Izz ad-Din al-Qassam Cyber Fighters on the morning of March 12 posted an update in the open forum Pastebin about its third phase of attacks. In it, the group mentions nine targets struck during the previous week.
The group claims it is waging its attacks against U.S. banking institutions over a Youtube video deemed offensive to Muslims.
The nine latest targets identified by the hacktivists – Bank of America, BB&T, Capital One, Chase, Citibank, Fifth Third Bancorp, PNC, Union Bank and U.S. Bancorp – have either declined to comment or have denied suffering any online disruptions.
But Keynote Systems says Chase, BB&T and PNC suffered major online failures between 12:30 p.m. and 11 p.m. ET on March 12. Outages suffered by Chase resulted in a nearly 100 percent failure rating between the hours of 2 p.m. ET and 11 p.m. ET, says Ben Rushlo, Keynote’s director of performance management. “That means the site was unavailable most of that time. That’s pretty massive.”
BB&T also had significant issues, but not quite so severe, Rushlo says. Between 12:30 p.m. and 2:30 p.m. ET, and then again briefly at 5:30 p.m. ET, BB&T’s online-banking site suffered intermittent outages, he adds.
PNC’s site suffered a significant outage for a 30-minute span beginning bout 3:30 p.m. ET, Rushlo says. “On a scale relative to Chase, they were affected 10 times less.”
Rushlo stresses that Keynote cannot confirm the cause of the online outages at the three banks because the company does not monitor DDoS activity; it only monitors customer-facing applications. Nevertheless, the online analysis Keynote conducts is in-depth, Rushlo contends. “We’re actually going behind the logons to emulate what the customer sees or experiences when they try to conduct online-banking,” he says.
Radware’s Herberger says some institutions have successfully mitigated their DDoS exposure, while others are only succeeding at masking the duress their online infrastructures are experiencing.
“There has been a lot of quick provisioning to address these attacks,” he says. “But if something changes, like it has now, then the whole game changes and the whole equilibrium changes. It’s not really solving the problem; it’s just addressing a glitch.”
More banking institutions need to go beyond Internet protocol blocking to address attacks that are aimed at servers and site-load balancers, he says. But many organizations have failed to take the additional steps needed to successfully and consistently deflect these emerging DDoS tactics.
“The thing that’s kind of frustrating to all of us is that we are six months into this and we still feel like this is a game of chess,” Herberger says. “How is it that an industry that has been adorned with so many resources – with more than any other industrial segment in U.S. – missed the threat of hacktivist concerns? There seems to clearly be industrial sector vulnerabilities that were missed in all of the historical risk assessments.”
For DDoS protection click here.