Hacktivists strike U.S. Bank with volunteer-powered DDoS
Rather than launch the attack from a network of compromised machines, the attackers are said to be individuals running a one-click script
By Antone Gonsalves
September 26, 2012 — CSO — U.S. Bank's website was disrupted on Wednesday in a people-powered distributed denial of service (DDoS) attack, launched by a group of Islamic hacktivists who have claimed responsibility for similar cyberattacks against four other banks in the U.S.
The attack involved hundreds of thousands of computers sending an overwhelming number of requests that downed the site for roughly an hour, starting at around 3:30 Pacific, said Atif Mushtaq, a security researcher at FireEye who has been monitoring the attack.
The disruption of U.S. Bank's website comes one day after a similar attack against Wells Fargo & Co. The group has taken credit for other attacks that occurred last week, against Bank of America, JPMorgan Chase and Citigroup.
[Related stories: Banks can only hope for best with DDoS attacks | Islamic hacktivists' bank attack claims gain credibility | Wells Fargo recovers after site outage | Theories mount on bank attacks, but experts stress defense | Arab hackers attack Western websites over film]
A representative of U.S. Bancorp, which operates as U.S. Bank, confirmed it was under attack. "We apologize that some customers experienced intermittent delays today on our website. We have been working hard to restore full connectivity," the spokeswoman said.
"We are asking customers who are experiencing issues with our online or mobile sites and have an urgent banking need to please call us at 1-800-US-BANKS, or stop by one of our branches," she said.
She said the issues were "related to unusual and coordinated high traffic volume designed to slow down the system -- similar to what other banks have experienced in the past week."
"We are working closely with federal law enforcement officials to address the issue. In the meantime, we can assure customers that their data and funds are secure," the spokeswoman added.
A new twist on DDoS
Rather than launch the attack from a network of compromised machines, called a botnet, the attackers are apparently using volunteers, Mushtaq said. Participants go to either one of two file-sharing sites and download a program written in a scripting language. Once the program is running, a person only has to click on a "start attack" button to send continuous requests to the target's website.
This method makes it more difficult for authorities to stop the attack, because there are no control servers. "They know [servers] can be blocked very easily," Mushtaq said.
The group calling itself "Mrt. Izz ad-Din al-Qassam Cyber Fighters" had said on a Pastebin post that it would attack Wells Fargo on Tuesday, U.S. Bank on Wednesday and PNC Financial Services Group on Thursday.
DDoS attacks, which experts say banks can only hope for best with, are considered crude because they do not require any sophisticated technology, just a large enough network of computers to overwhelm a site. Banks the size of the ones under attack would have to be hit by a network of hundreds of thousands of computers in order to disrupt their sites, Mushtaq said.
The use of volunteers launching attacks from their own computers makes it difficult for banks to separate traffic and redirect the DoS requests, Mushtaq said. "There's no way you can distinguish between the benign traffic and this DDoS traffic," Mushtaq said. "It's simply mixed up."
The group claiming to be behind the attacks indicated in the Pastebin post that it was in retaliation for the video trailer denigrating the Prophet Muhammad. The amateurish YouTube video made in the U.S. has sparked violent protests in the Middle East and other regions.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.