Brace yourself: more distributed denial of service (DDoS) attacks are coming at financial institutions, predicted Scott Hammack, CEO of Hollywood, Fla.-based Prolexic Technologies, a leader in helping big business defend itself against DDoS.
“Absolutely, we will see more attacks on banks,” said Hammack in an interview. He traced the current wave of attacks – which have crippled the websites of money center banks including Bank of America and JP Morgan Chase – to probes that began in January.
“The attackers did several months of reconnaissance, probing websites for vulnerabilities,” said Hammack.
The core DDoS method is to overwhelm a website with a flood of extraneous data. There is so much data coming in that legitimate requests simply cannot be handled.
The current attackers, Hammack suggested, come at this with enormous skill, sophistication and funding. He indicated he had no guess about the possible end game or what the objectives of the attackers might be beyond highlighting the vulnerabilities of big banks to attacks.
He indicated that the attackers – or people close to them – have frequently posted notices of what institutions they have taken down on Pastebin, a website believed to be frequented by members of the hacker and cyber-criminal community.
According to Hammack, the attackers have used the itsoknoproblembro DDoS tool kit and they have come to the battle with deep knowledge of the classic anti DDoS mitigation schemes. Since they know how financial institutions protect themselves at first sight of DDoS, they also know how to maneuver around those protections, said Hammack.
Hammack warned: “This is sophisticated in the way Stuxnet was.” Stuxnet’s authorship is unknown, but some have said it was approved by the White House and involved high level cyber security experts from the U.S. and Israel. It specifically targeted Iran’s nuclear program.
So far, no credit unions are known to have been targeted in the present wave of DDoS attacks. However, Hammack indicated that in his opinion only the very largest banks are currently prepared to deal with this attack.
“A lot of smaller financial institutions have no protection,” he said. “If they get hit they will be out for days.”