DDoS Attacks: PNC Struck AgainSecurity Experts Say Banks Can Expect Attacks to Continue
PNC Financial Services Group confirms that its online banking site on Dec. 13 was bombarded with high volumes of traffic for the second time this week, causing some users to have trouble logging into their accounts.
According to online-monitoring site sitedown.co, Bank of America and JPMorgan Chase also suffered access issues beginning around 9 a.m. ET Dec. 13, although neither bank acknowledged any outages.
Meanwhile, industry analysts say banks worldwide are on the lookout for distributed-denial-of-service attacks, which rely on high volumes of traffic to disable and disrupt websites. These attacks are increasing in sophistication, and firewalls and Internet-protocol blocking are no longer effective, information security experts say. As a result, banking institutions and other at-risk organizations are advised to invest in real-time DDoS monitoring to ensure they promptly detect attacks.
Update on Outages
PNC spokesman Frederick Solomon said the bank's site experienced "higher than usual" traffic volumes on Dec. 13. "We will continue to communicate directly to our customers through our social media and other online channels, including our website," he said.
All three banks that had access issues Dec. 13, along with SunTrust Banks and U.S. Bank, were named by the hacktivist group Izz ad-Din al-Qassam in a Dec. 10 Pastebin post as being targets for this second phase of DDoS attacks. The hacktivist group says the attacks are being waged against leading U.S. banks to protest a YouTube movie trailer deemed offensive to Muslims (see 5 Banks Targeted for New DDoS Attacks).
SunTrust was the first to experience online outages on Dec. 11, according to site-availability tracker websitedown.com. And no reports of significant outages for SunTrust have been reported since that time, according to sitedown.co.
SunTrust has declined to comment about any of its site availability issues.
On Dec. 12, websitedown.com also reported that U.S. Bank and BofA both experienced intermittent site problems throughout the day. U.S. Bank spokesman Tom Joyce confirmed a DDoS hit, but BofA spokesman Mark Pipitone said the bank's site issues were not related to an outage (see U.S. Bank Confirms DDoS Hit).
Despite BofA's statement, one of the bank's retail customers from Atlanta called BankInfoSecurity to report he had not been able to access his online banking account at bankofamerica.com for a week.
The customer, who identified himself only as "Steve," expressed frustration about his inability to access his account with BofA, saying the bank's public statements do not reflect the reality of the situation for customers.
"There have been several hundred [customers] that seemingly can't get on," he said, citing posts from other customers on sitedown.co. "This problem is so far out of whack with BofA's response in terms of them saying 'no big deal, it's fixed.'"
In a Dec. 13 blog about the DDoS attacks, Dan Holden and Curt Wilson of DDoS mitigation firm Arbor Security's Security Engineering and Response Team predict the attacks will continue because they have been successful.
"Some of this week's attacks have been as large as 60 Gbps [gigabytes per second]," they write.
Another expert, Mike Smith of Akamai Technologies, an Internet platform provider, notes that in the first wave of bank attacks, the traffic coming in was the equivalent of about 65 gigabytes per second - far stronger than previous DDoS attacks. "Even at the height of the Anonymous attacks, we saw traffic coming in from 7,000 or 8,000 people [at approximately 1 gigabyte per second] involved in attacks at any given time," he says.
But Holden and Wilson say what makes these attacks so significant is not their size, but their focus - "part of an ongoing campaign, and, like most DDoS attacks, quite public," they write. "These attacks utilize multiple targets, from network infrastructure to Web applications."
While it's clear U.S. banking institutions are being targeted for this campaign, banks in other parts of the world, too, are closely monitoring their online sustainability, says Tom Wills, a security and fraud analyst for consultancy Javelin Strategy & Research.
"Ever since Anonymous appeared on the scene and failed to disappear, the industry has come to realize that cyberattacks aren't just a one-off problem, but are now a permanent part of the threat landscape, and the threat is 100 percent global," he says. "As long as a bank has an online presence, no matter where in the world it's located, it's going to be a target."
Global awareness among financial institutions about DDoS and other cyberthreats is high, relative to other industries, Wills says. "Readiness, though, is a different story," he adds. "As in the U.S., the largest banks tend to devote the most resources to mitigation, while smaller ones run the gamut, and are, therefore, the most vulnerable."
Comparing the Attacks
The Financial Services Information Sharing and Analysis Center on Dec. 12 issued an advisory to its membership, outlining precautions institutions should take as they prepare for the hacktivists' second phase of attacks. Experiences with the first phase of attacks helped the industry prepare for round two, FS-ISAC notes. That first phase, which ran between mid-September and mid-October, targeted all five banks named in the latest threat, along with Wells Fargo, Capital One, Regions Bank, BB&T and HSBC.
The hacktivists' warning that this second phase will be more severe than the first should give institutions incentive to enhance their DDoS-prevention measures, FS-ISAC says. And according to what researchers have learned about how attacks in this second campaign are being waged, there are differences worth noting.
Arbor Security's Holden and Wilson say attacks waged during the first phase typically compromised PHP- and Joomla-based applications. Both are open-source applications used to produce dynamic web pages. Sites using WordPress, typically with outdated TimThumb plugins, a PHP script used to resize images, also were compromised, Holden and Wilson write.
"Unmaintained sites running out-of-date extensions are easy targets, and the attackers took full advantage of this to upload various PHP webshells, which were then used to further deploy attack tools," they write. "In the September 2012 attacks, there were several PHP-based tools used."
The takedowns relied on a mix of application-layer attacks on http, https and domain names with high volumes of attack traffic on a variety of Internet protocols, the two researchers explained.
But attacks in this second campaign have been a bit different, often including newly crafted DNS packets, Holden and Wilson say. The latest attacks have clearly proven that typical defenses, such as firewalls and intrusion-prevention systems, are ineffective, they contend.
"These devices can be an important part of a layered defense strategy, but they were built for problems far different than today's complex DDoS threat," they write. "Given the complexity of today's threat landscape, and the nature of application-layer attacks, it is increasingly clear that enterprises need better visibility and control over their networks, which requires a purpose-built, on-premise DDoS mitigation solution."
Institutions must be aware of attacks in real-time, Holden and Wilson add. "DDoS is no longer simply a network issue, but is increasingly a feature or additional aspect of other threats," they write.
Distractions of DDoS
All banks need to be mindful that the DDoS attacks could be used to mask other threats, Wills says.
"While it's true that hacktivist groups like the Izz ad-Din al-Qassam Cyber Fighters and Anonymous tend to go after high-profile targets, there are plenty of other active cybercriminal groups whose goal is to extract funds," he says.
"Remember that DDoS attacks are often a smokescreen to divert the bank's attention away from a money-stealing operation. So the DDoS attacks are basically the same, regardless of who launches them, and online banks everywhere need to be able to defend against them."