DDoS: PNC, Wells Report Traffic SurgeLatest Incidents Not as Disruptive as Phase 1 Attacks
Amidst Phase 2 of hacktivists' distributed-denial-of-service attacks on U.S. banks, PNC Financial Services and Wells Fargo on Dec. 20 both reported online traffic surges. But experts say these latest incidents are not resulting in online outages as widespread or lengthy as phase 1 of the attacks earlier this fall.
Either the targeted banks are getting better at defending their perimeters, some observers say, or the DDoS attacks have subsided.
"Most banks' network teams are making rapid adjustments to the configurations of their networks, so they can better withstand these attacks," says financial fraud expert Avivah Litan of Gartner. "These adjustments are definitely helping for now. The fraud teams are also tightening defenses, so more is automated and independent of staff attention, which is diverted during these attacks."
About the Dec. 20 surge, PNC spokesman Frederick Solomon said, "Heavy electronic traffic caused intermittently interrupted access to our site this morning," but the overall impact was minimal. Wells Fargo, which reported isolated accessibility issues a day earlier, also acknowledged minor disruptions but no outages (see Wells Fargo Still Dealing with DDoS).
"We're seeing an unusually high volume of traffic which is creating slow or intermittent access to our website for some online customers," said Wells Fargo spokeswoman Sara Hawkins the morning of Dec. 21. "The vast majority of customers are not impacted."
Neither bank confirmed a DDoS hit linked to threats made by the hacktivist group known as Izz ad-Din al-Qassam Cyber Fighters, which on Dec. 18 promised via Pastebin a new wave of attacks against leading U.S. banks.
A week earlier, the hacktivist group announced plans to initiate this second phase of DDoS strikes against Bank of America, JPMorgan Chase, PNC Financial Services, U.S. Bancorp and SunTrust Banks (see 5 Banks Targeted for New DDoS Attacks).
The hacktivist group claims this series of attacks is a follow-up to the first campaign it waged against those five banks, as well as Wells Fargo, Regions Bank, HSBC Holdings, BB&T Corp. and Capital One, from mid-September to mid-October.
Izz ad-Din al-Qassam Cyber Fighters says it will continue its strikes against U.S. banks until a YouTube movie trailer, deemed to be offensive to Muslims, is removed.
DDoS experts say the traffic patterns suggest most of these latest incidents are linked.
"The attacks themselves are as complex as the previous attacks, with similar bandwidth peaks and similar, but modified, attack characteristics," says Carlos Morales of DDoS prevention vendor Arbor Networks. And more banks appear to be among the targets, he says.
But the attacks are having less impact, and Morales says that's because banks have taken steps to prepare. "There seem to be more cohesive processes in place to react to attacks, more capacity available, in general, across networks - layered defenses in some places - and tighter collaboration between the financials and their MSSP [managed security service provider] providers."
DDoS expert John Walker, who also serves as the chairman of ISACA's Security Advisory Group in London, believes the decrease in outages has more to do with the attackers than the banks' defenses.
"Within the last 24 hours there has been a decline overall in global attacks," Walker says. "This could be because of the natural behavior of the attackers," taking a break for the holidays, he suggests. But it's also just as likely that the hacktivists behind these site takedowns will strike Dec. 24 and Dec. 25, when staffing within IT and fraud departments is slim.
Other Groups Involved?
Observers who have tracked the DDoS attacks say evidence suggests that Izz ad-Din al-Qassam Cyber Fighters may not be acting alone, or that other groups are pinning their efforts on the tails of these attacks.
Gartner's Litan says the industry is learning more about the groups behind DDoS strikes. And while their motives vary, their methods do not, she says.
"I've put them into three groups, based on conversations with bankers and others in the know," Litan says.
In a blog posted Dec. 18, Litan breaks down the three classes of DDoS attackers as:
- Political hactivists with no ability to commit fraud;
- Political hactivists with no ability to commit fraud that are coupled with counter attacks waged by different groups that commit fraud while security teams are distracted;
- Financially-motivated gangs that strike banking institutions with DDoS attacks and fraud, using DDoS methods that resemble those of political hacktivists to fool their targets.
For Walker, the traffic patterns and the indications that other groups are involved should be alarming, and not just to U.S. banking institutions.
"What we are seeing this year is just a tip in the ocean of what is planned for 2013," he says. "Are banks getting better at defending against DDoS? Possibly, yes. But they can only hold the water back so long."