Capital One, HSBC, Bank of America, Wells Fargo are among the near-dozen financial Websites hit by distributed denial-of-service attacks over the past few weeks. These attacks have disrupted daily operations for banks and made it difficult for customers to take advantage of online banking services.
A group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed credits for most of the incidents and has named the institutions it will target a few days before launching the attacks. Even with the prior warning, Websites of some of the country’s largest firms have been affected: Bank of America, JPMorgan Chase, PNC, U.S. Bank, Wells Fargo, Sun Trust, Regions Financial, Capital One, and BB&T. Capital One Bank was hit with two separate attacks, occurring on Oct. 9 and Oct. 16.
HSBC was the latest one to be hit, as its Websites suffered online outages on Thursday. A different group, Fawkes Security, claimed credit, but it’s not clear at this point whether the HSBC incident was different from the attacks against other banks or not.
“This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking,” the bank said in a statement on its Website.
What are DDoS Attacks?
A group of computers send larger than usual volume of traffic data to Websites to tie up server resources. Websites can’t handle the high volume, either knocking it offline entirely or being available only sporadically.
“You can picture a distributed denial-of-service attack as being something like 15 fat men trying to get through a revolving door at the same time. Nothing moves,” said Graham Cluley, senior technology consultant at Sophos.
Often in DDoS attacks, the computers used to bombard the targeted Websites with traffic have actually been hijacked. The computers are often infected with malware that give attackers control over the computer, usually without the owner’s knowledge. In these banking attacks, however, it appears that the perpetrators have hijacked servers instead of client machines, according to recent analysis by Radware.
Difficult to Repel
For banking customers, these DDoS attacks are just more annoying than damaging, While online systems have been intermittently unavailable, to date, it doesn’t appear that any customer or account information at any of the banks have been exposed because of the attacks. For financial institutions, they’ve been highly disruptive, as IT departments have to deal with significantly large attacks.
“These are big, but we’ve seen this big before,” said Neal Quinn, chief operating officer of Prolexic, told Wired last week. “We’ve seen events this big in the past.”
Even knowing that the attacks were coming, financial institutions have been unable to keep the attacks from knocking the sites offline. Each of the targeted banks experienced several hours of downtime, although Wells Fargo seemed to have weathered the crisis a little better than others.
“I don’t want to minimize the potential damage it could cause to the industry,” Wells Fargo CFO Tim Sloan told Reuters, “But in terms of how the industry performed and how Wells Fargo performed in reaction to the recent efforts, we actually performed very well.”
The bank will continue to invest in ways to defend against future DDoS attacks, according to Sloan, who called it as “a cost of doing business today.”
Stay On Guard
Even though each of the affected institutions have assured customers that no customer or account data has been compromised, security experts warn that it’s still too early to get complacent. DDoS attacks can often be a diversion so that IT teams don’t notice other malicious activity that may be happening at the same time. Gartner’s Avivah Litan told Government Info Security that she had anecdotal accounts of fraud slipping through banks’ overloaded call centers while the online channels are under attack.
It wouldn’t be the first time DDoS attacks were used to distract overloaded administrators. Back in April 2011, Sony didn’t notice the attackers breaking into Sony servers to compromise over 100 million user accounts from the PlayStation Network, Sony Online Entertainment, and Qriocity music service because it was distracted by large-scale DDoS attacks overwhelming its servers, the company said in a letter to Congress.
“We are assuming that the attackers are doing this to perpetrate fraud,” Mike Smith, a security evangelist with online security provider Akamai Technologies, told Bank Info Security. Smith was specifically referring to the fact that Capital One was targeted for a second time, which may mean that attackers are looking for different ways to try to compromise employees and get access to customer accounts.
“That’s the assumption we are operating under at this point,” Smith said.