PNC Bank appears, as promised, to be the latest victim of hacktivists carrying out denial-of-service attacks against major U.S. financial services institutions. PNC, out of Pittsburgh, joins Wells Fargo, J.P. Morgan Chase & Co. and Bank of America on a list of banks taken offline reportedly by a group who claimed responsibilities for the attacks as retaliation for the portrayal of Muslims in “Innocence of Muslims,” a series of movie trailers uploaded to YouTube.

The group, using the name Mrt. Izz ad-Din al-Qassam Cyber Fighters, promised in a message hosted on Pastebin to takedown PNC today. As of 3 p.m. ET, PNC’s sites were unreachable. Wells Fargo had been the latest institution attacked; on Tuesday, customers complained of intermittent outages and difficulty in reaching their online bank accounts, bank officials said in a statement on its Twitter account.

PNC spokeman Fred Solomon told Threatpost the bank experienced a higher than usual volume of traffic yesterday, and that it had ramped up today.

“Traffic to our sites is heavy today and it’s of a similar pattern to that seen by other banks of late,” Solomon said.

One security expert, however, is at odds with the group’s claim its actions are a protest of the movie trailers. Dmitri Alperovich, cofounder and CTO of security company CrowdStrike, called the theory a red herring.

“I don’t buy that their motivation is in response to the video; this group has been carrying out attacks for months,” he said. “Their motivation is to send a message that this is what they’re capable of.” Alperovich said the group’s name is the same as the military wing of Hamas and it claims to have a Jihadist cause, he said. “If a terrorist group is interested in sending a message to us, this is one way of doing so. It’s relatively inexpensive and powerful message.”

Since the attacks began against major U.S. banks last week, many theories have surfaced as to the motivations behind the attacks, one being that the attacks were a cover for a string of wire transfer fraud heists. The FBI and the Financial Services ISAC warned 10 days ago that cybercriminals were using spam and phishing emails pushing keyloggers and remote access Trojans to attack financial institutions. Stolen credentials had been used to steal hundreds of thousands of dollars, as well as tamper with user accounts.

Sen. Joe Lieberman (D-Conn.) then last week raised the stakes in a C-Span interview, blaming Iran for the attacks, a claim the Iranians quickly refuted. Lieberman theorized a secret military unit called the Qud Force initiated the attacks because of U.S. sanctions imposed on Iran because of its nuclear program. The head of Iran’s civil defense organization told the Fars News Agency Iran was not behind the attacks.

Some of the denial-of-service attacks against the banks have involved massive amounts of traffic, up to 100Gb/second; experts say most DDoS attacks require 5-10 Gb/second of traffic to take down a site.

“These are no super sophisticated attacks, but we’re seeing very large, almost historic, attacks from the standpoint of the volume of traffic we’re seeing, “ Alperovich said. “And these banks are not tiny. They have massive infrastructures and they’re coming under DDoS attacks regularly. The fact that these attacks are able to shut them down is quite remarkable.”

Alperovich said the attackers likely spend months building the botnet infrastructure behind the attacks.

“Banks have high bandwidth connections into their data centers. They can take a lot of traffic, plus they all use security and DDoS protection services,” he said. “This is massively higher than what we see on a normal basis.”

Organizations susceptible to DDoS attacks, such as banks, gambling sites and others where availability is a must, often enlist the help of service providers to get the additional bandwidth and capacity needed to handle traffic. They also benefit from intelligence from ISPs and security service providers who may be able to pinpoint a range of IP addresses from which attacks originate. Victims can then block those addresses at the router or switch level on a network, and still allow legitimate traffic through.

“Cybercriminals tend to use DDoS for ransom or blackmail; we see regular attacks on gambling and sports sites say right before the Super Bowl and criminals will demand a ransom,” Alperovich said. “That is not the case here. In the past, we’ve seen hacktivist groups tend to give up easily. If they’re nation-state sponsored—and I’m in no way saying these attackers are—they may continue for a while.”

Until today, the banks under attack have suffered periodic outages and have been able to make sites and services available fairly quickly, limiting the impact to customers and business.

“The headlines may be scary, but it’s important to note, no banks have been breached, no data stolen,” Alperovich said. “We have to keep that context in mind. At most, this has been an inconvenience for users who have not been able to do their online banking. You can still go to the ATM or the branch office. The banking infrastructure is not under attack.”

Categories: Critical Infrastructure, Web Security

Comments (8)

  1. Anonymous
    1

    Yawn.  “Look at us! Look at us!  We’re really big, important people!  Mooooom, shhhh.  I’m on the interwebz being l337h4xzor!”  Grow up and find something productive to do on this planet or get the #$%@ off it.

  2. Anonymous
    3

    I’ll take a DOS attack rather than read the crap posted int he comments so far. Can anyone contribute something more productive?

  3. MyTechNinja
    4

    Not according to an article posted by CSO titled “Thieves use DDoS to distract banks during cyber heists”.  The FBI has warned US financial institutions to prevent employees from accessing the internet on payment computers after a multi-bank heist, which began with phishing emails, netted criminals between US$400,000 to US$900,000 a pop.

    Does that make you guys want to pull your money out from the banks before the bad guys get it?

    From a business perspective, here’s some countermeasures you can think about:

    1. Increase bandwidth
    2. Redirect traffic to a cloud-based alternative site
    3. Use alternate routing tools to move traffic to other locations to balance the load
    4. A more expensive option includes appliances that do packet analysis to separate good and bad traffic, sending the latter to an unused IP address

  4. Simply Red
    5

    Declare a bank holiday for a day, until they move on to the next bank.

     The employees will love you for it!

  5. BeenThere
    7

    “Some of the denial-of-service attacks against the banks have involved massive amounts of traffic, up to 100Gb/second; experts say most DDoS attacks require 5-10 Gb/second of traffic to take down a site.”

     I read this couple of month ago, when I was looking for a Anti-DDoS provider. I just wanted to say that this was somewhat misleading and almost lead to bad decision on my part. 

    Speaking from expirience, most DDoS attacks will be over 10Gbs and much more, also the volume is not the only factor to consider. There are Application layer attacks that can rise to scary volumes, yet will be mitigated by identification rather than absorbtion. 

    You can use this as a good reference on the subject: 
    incapsula.com/ddos/ddos-attacks

  6. Anonymous
    8

    “1. Increase bandwidth”

    To 100Gb?

    “2. Redirect traffic to a cloud-based alternative site”

    Redirect…as in HTTP redirect? Fail. If you mean have the traffic routed instead to someone with a bigger pipe, again I say…100Gbit?

    “3. Use alternate routing tools to move traffic to other locations to balance the load”

    That is what many DoS services do (either using BGP or using DNS).  It’s all well and good, but 100Gbit…good luck with that.

    “4. A more expensive option includes appliances that do packet analysis to separate good and bad traffic, sending the latter to an unused IP address”

    More expensive than what?  Certainly not more expensive than option 3. An inexpensive IPS can block many of these attacks, but the traffic has already hit your circuit by then so if the attack is big, you lose.

    Bottom line is that DoS abuse is clearly a problem that has not been solved, and it’s getting worse.  I can’t help but wonder if the ISP backbone and peering connections are keeping pace with the last mile connection speeds?

Comments are closed.