The Fraud Blog with Tracy Kitten

Another Version of DDoS Hits Banks

All Institutions Remain at Risk as Attackers Change
Another Version of DDoS Hits Banks

Izz ad-Din al-Qassam Cyber Fighters, the hacktivist group that waged three campaigns of distributed-denial-of-service attacks against U.S. banks, apparently hasn't launched an attack since May 2 (see Are DDoS Attacks Against Banks Over?).

See Also: New OnDemand | Reacting with Split-Second Agility to Prevent Software Supply Chain Breaches

Nevertheless, DDoS attacks are continuing. And that means financial institutions need to remain vigilant

Last week, DDoS attacks were waged against two mid-tier banks by bombarding them with requests for PDF document downloads, I've confirmed with more than one reliable source.

The documents, including mortgage, account or loan applications, generally aren't readily accessible from a bank's home page. Ultimately, you'd have to dig pretty deeply or be told these documents are available on the site to know where to find them. Some DDoS bots, however, do have the ability to spider websites and locate random links, like downloadable PDFs, to flood. And, sometimes, links to downloadable files are discovered by attackers via Google searches.

Still, it can be a time-consuming process, and is a reason why this type of flooding attack is often less favored over others.

No one knows why these attacks were waged, although some experts tell me there apparently were no patterns or code or botnets to connect the strikes to the al-Qassam Cyber Fighters.

But it's becoming apparent that it's not just hacktivists that are waging DDoS attacks. And it's not just top-tier banks that are at risk.

Experts and regulators have warned smaller banking institutions to have their guards up, especially for DDoS attacks that could be waged as a mode of distraction to mask account takeover attempts.

At this point, we have to assume all attacks are being waged to either compromise data or perpetrate fraud.

Under the Radar

Bill Nelson, president of the Financial Services Information Sharing and Analysis Center, says download-flooding attacks "are a very common DDoS tactic used by various types of adversaries. Nothing new there."

But Curt Wilson of DDoS-mitigation provider Arbor Networks, says download-flood attacks, which around for a long time, are not used as often as other DDoS tactics. So the download flooding attacks are around, but they are less common.

"The download flood has a larger punch, but I don't think every attacker has it on their agenda," he says.

Download flood attacks, though, are often packaged with attack toolkits that are marketed in underground forums for their so-called "anti-DDoS" capabilities, he says - meaning these toolkits can get around standard DDoS-detection and mitigation measures, Wilson says.

"Other than the usual steps of blacklisting the sources, organizations have responded in the past by reducing the content available to users who have not yet authenticated," Wilson tells me. "This is only a partial solution, of course, because the approach does not scale and does not fit every scenario."

One bank CISO tells me institutions generally can't block future attacks until they review the logs of requests associated with a successful download-flooding strike.

Some of these PDF or file requests, although overwhelming, could be legitimate. And one of the greatest worries surrounding DDoS mitigation is denying good traffic in an effort to block the bad.

Was It a Test?

The latest attacks could have been waged as a way to test their effectiveness. But no one knows for sure.

"It is definitely not the AQCF botnet," known as Brobot, says Rodney Joffe, a DDoS expert at online security firm Neustar. "The general criminal element is ... now using the very effective techniques."

No attempts at fraud have been linked to last week's two flooding attacks. So what were the attackers motivations?

We must assume the actors behind these attacks often have political and/or criminal intent.

What's critical is that banking institutions have DDoS mitigation strategies in place. As Joffe points out: "We have been warned."

But not everyone is heeding the warning.

Smaller, community institutions are a known weak point, as the Office of the Comptroller of the Currency noted in mid-June, when it spearheaded an education campaign about DDoS aimed at community banks, as well as in December, when it issued a warning that community banks should be mindful of DDoS attacks waged to mask fraud.

All banks and credit unions should assume they're going to be targeted, and that the purpose for these attacks is to compromise data and accounts. The sooner all institutions accept and embrace that message, the more secure their overall infrastructure will be.

I encourage you to comment about the best ways to mitigate DDoS attacks in the box below.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.