PNC Bank appears, as promised, to be the latest victim of hacktivists carrying out denial-of-service attacks against major U.S. financial services institutions. PNC, out of Pittsburgh, joins Wells Fargo, J.P. Morgan Chase & Co. and Bank of America on a list of banks taken offline reportedly by a group who claimed responsibilities for the attacks as retaliation for the portrayal of Muslims in “Innocence of Muslims,” a series of movie trailers uploaded to YouTube.
The group, using the name Mrt. Izz ad-Din al-Qassam Cyber Fighters, promised in a message hosted on Pastebin to takedown PNC today. As of 3 p.m. ET, PNC’s sites were unreachable. Wells Fargo had been the latest institution attacked; on Tuesday, customers complained of intermittent outages and difficulty in reaching their online bank accounts, bank officials said in a statement on its Twitter account.
PNC spokeman Fred Solomon told Threatpost the bank experienced a higher than usual volume of traffic yesterday, and that it had ramped up today.
“Traffic to our sites is heavy today and it’s of a similar pattern to that seen by other banks of late,” Solomon said.
One security expert, however, is at odds with the group’s claim its actions are a protest of the movie trailers. Dmitri Alperovich, cofounder and CTO of security company CrowdStrike, called the theory a red herring.
“I don’t buy that their motivation is in response to the video; this group has been carrying out attacks for months,” he said. “Their motivation is to send a message that this is what they’re capable of.” Alperovich said the group’s name is the same as the military wing of Hamas and it claims to have a Jihadist cause, he said. “If a terrorist group is interested in sending a message to us, this is one way of doing so. It’s relatively inexpensive and powerful message.”
Since the attacks began against major U.S. banks last week, many theories have surfaced as to the motivations behind the attacks, one being that the attacks were a cover for a string of wire transfer fraud heists. The FBI and the Financial Services ISAC warned 10 days ago that cybercriminals were using spam and phishing emails pushing keyloggers and remote access Trojans to attack financial institutions. Stolen credentials had been used to steal hundreds of thousands of dollars, as well as tamper with user accounts.
Sen. Joe Lieberman (D-Conn.) then last week raised the stakes in a C-Span interview, blaming Iran for the attacks, a claim the Iranians quickly refuted. Lieberman theorized a secret military unit called the Qud Force initiated the attacks because of U.S. sanctions imposed on Iran because of its nuclear program. The head of Iran’s civil defense organization told the Fars News Agency Iran was not behind the attacks.
Some of the denial-of-service attacks against the banks have involved massive amounts of traffic, up to 100Gb/second; experts say most DDoS attacks require 5-10 Gb/second of traffic to take down a site.
“These are no super sophisticated attacks, but we’re seeing very large, almost historic, attacks from the standpoint of the volume of traffic we’re seeing, ” Alperovich said. “And these banks are not tiny. They have massive infrastructures and they’re coming under DDoS attacks regularly. The fact that these attacks are able to shut them down is quite remarkable.”
Alperovich said the attackers likely spend months building the botnet infrastructure behind the attacks.
“Banks have high bandwidth connections into their data centers. They can take a lot of traffic, plus they all use security and DDoS protection services,” he said. “This is massively higher than what we see on a normal basis.”
Organizations susceptible to DDoS attacks, such as banks, gambling sites and others where availability is a must, often enlist the help of service providers to get the additional bandwidth and capacity needed to handle traffic. They also benefit from intelligence from ISPs and security service providers who may be able to pinpoint a range of IP addresses from which attacks originate. Victims can then block those addresses at the router or switch level on a network, and still allow legitimate traffic through.
“Cybercriminals tend to use DDoS for ransom or blackmail; we see regular attacks on gambling and sports sites say right before the Super Bowl and criminals will demand a ransom,” Alperovich said. “That is not the case here. In the past, we’ve seen hacktivist groups tend to give up easily. If they’re nation-state sponsored—and I’m in no way saying these attackers are—they may continue for a while.”
Until today, the banks under attack have suffered periodic outages and have been able to make sites and services available fairly quickly, limiting the impact to customers and business.
“The headlines may be scary, but it’s important to note, no banks have been breached, no data stolen,” Alperovich said. “We have to keep that context in mind. At most, this has been an inconvenience for users who have not been able to do their online banking. You can still go to the ATM or the branch office. The banking infrastructure is not under attack.”