Capital One Latest Victim in Series of Attacks on U.S. Banks

Capital One Financial Corp. told Bloomberg’s Businessweek that its online banking services had been temporarily disabled on Tuesday but that no customer and account information was ever at risk.

Capital One Financial Corp. told Bloomberg’s Businessweek that its online banking services had been temporarily disabled on Tuesday but that no customer and account information was ever at risk.

The ‘Mrt. Izz ad-Din al-Qassam Cyber Fighters’ took credit for the attack on the text-sharing site Pastebin, where they also announced their intention to attack Regions Bank and SunTrust. This is the same group that claimed responsibility for attacks on other major financial institutions including PNC, Wells Fargo, J.P. Morgan Chase & Co. and Bank of America among others. They claim the attacks are a retailiation to the infamous “Innocence of Muslims” Youtube video that has reportedly been the catalyst for a number of protests across the Muslim world.

However, experts have noted that the attackers are using encrypted data to bypass the bank’s firewalls and other security measures.

Phil Lerner, VP of Technology at Stonesoft explained via email that encrypting the data stream allowed the attackers to evade any data security controls including the firewall, and, in turn, disable services at Capital One.

Lerner said the attack was a hallmark of data obfuscation and that it could very well be the first public example of what he called an advanced evasion technique (AET) attack targeting a financial institution.

“While this attack has been noticed because of its impact,” Lerner wrote, “many AET attacks leave no trace to current management and monitoring systems, logs or reporters – leaving the devices blind and creating an illusion of security. For this reason, cyber attackers are using AETs more and more.”

Suggested articles

Discussion

  • redstorm_ on

    This is why banks and other sensitive areas need high encryption, two-factor authentication and even more checks & balances even if it is a little more of headache for consumers to do their day-to-day routines--we can easily adapt and if it prevents ID theft and even theft of our valuables, cash, etc.. I'm all for this type of change.  That's security that makes sense unlike things like airport security that we must get hassled over these days with little benefit.  Most consumers would probably be fine with a little more security over their financial records, money and information. 

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.