Bank DDoS Attacks Using Compromised Web Servers as Bots

A rash of politically and socially motivated distributed denial-of-service attacks against major U.S. banks has been able to intermittently disrupt online and mobile banking services. The attackers have been able to fire unprecedented amounts of traffic at the likes of Wells Fargo, Bank of America, PNC and many others, temporarily denying customers access to their accounts online.

Bank DDoSA rash of politically and socially motivated distributed denial-of-service attacks against major U.S. banks has been able to intermittently disrupt online and mobile banking services. The attackers have been able to fire unprecedented amounts of traffic at the likes of Wells Fargo, Bank of America, PNC and many others, temporarily denying customers access to their accounts online.

The attackers claiming responsibility, Izz ad-Din al-Qassam, have used a mix of tools including PHP-based itsoknoproblembro, an offshoot of Brobot, according to Arbor Networks. Researchers at Incapsula, meanwhile, have discovered another tactic this week.

The organization posted a report that the attackers were using one of its clients, a compromised UK website, as a bot after a growing number of encoded PHP requests kicked off unusual alerts from the website.

“A closer look revealed that these intercepted requests were attempts to operate a backdoor and use the website as a bot— an unwilling foot soldier in a DDOS army,” wrote security analyst Ronan Atias.

The attackers were using the website’s resources to launch HTTP and UDP flood attacks against NSBC, Fifth Third Bank and PNC according to log screenshots on the Incapsula website. Atias, based in Israel, said the use of a website as a bot did not surprise him.

“This is just a part of a growing trend we’re seeing in our DDoS prevention work. In an attempt to increase the volume of the attacks, hackers prefer web servers over personal computers. It makes perfect sense,” Atias said. “These are generally stronger machines, with access to the high quality [host] networks and many of them can be easily accessed through a security loophole in one of the sites.”

The UK website in question had a doozy of a loophole, a default login of admin/admin was left in place, Incapsula said. Atias said the attacks were timed, for anywhere from seven minutes to an hour long. Attacks would recommence just as targets would come back online; sometimes the targets would change to e-commerce or commercial sites.

“This all led us to believe that we were monitoring the activities of a botnet for hire,” Atias said.

The PHP attack code multiplied itself in order to take advantage of the full capacity available on the server, and could produce incrementally more traffic than a traditional bot, Atias said.

“The backdoor was controlled using an API which used the server’s PHP environment to inject dynamic attack code,” Atias said. “This allows the attacker to adapt very quickly to any changes in the website’s security.”

The attacks have been attributed to Izz ad-Din al-Qassam, a group claiming its actions are in retaliation for the portrayal of Muslims in a series of movie trailers posted to YouTube for the movie “Innocence of Muslims.”

“We say to the people that now, in these unfavorable economic conditions, your capitals [sic] in the banks are influenced by childish decisions of some capitalists who do not consider anything but their own interests. Perhaps more attacks make them wiser to be able to choose a simpler solution,” the group wrote in an entry on Pastebin two days ago. The group promised more attacks until the trailers were removed from YouTube.

The attacks have consistently surpassed previous denial-of-service attacks used against high-profile websites, firing upwards of 60 Gbps of bad traffic at the bank’s websites. The most recent round of attacks in December was capable of sending 40 Gbps at multiple targets simultaneously.

“If you’re sending 40 GBPS of traffic across two targets, that’s definitely a feat,” Dan Holden, Arbor Networks’ director of security research, told Threatpost. “That’s difficult to do from the attacker’s standpoint, and difficult to defend. The banks have been far better prepared this time because they’ve seen these attacks before.”

Holden said the attackers were using sites compromised via exploits against vulnerable PHP Web applications, including some Joomla sites as well as WordPress sites using a vulnerable plug-in called TimThumb. TimThumb is an image re-sizing library used in premium WordPress themes.

Suggested articles