As promised, Islamic hacktivists disrupt PNC Bank
Naming the targeted banks shows attackers are sophisticated, says one security expert
By Antone Gonsalves
September 27, 2012 — CSO — PNC Bank's website was disrupted on Thursday by a group of Islamic hactivists who have also claimed responsibility for downing the sites this week of Wells Fargo and U.S. Bank.
The latest attack is identical to the other two in that hundreds of thousands of computers are used to overwhelm the sites' bandwidth, said Atif Mushtaq, a security researcher for FireEye who has been monitoring the attacks.
The hactivists also claim to be behind the distributed denial of service (DDoS) attacks last week against Bank of America and JPMorgan Chase, as well as U.S. bank yesterday.
PNC has confirmed the attack. Spokesman Fred Solomon told The Chicago Tribune that the disruption affected some online customers. "We are working to restore full service to everyone," he said.
Based on the kind of traffic Mushtaq has seen, the banks' sites are being overwhelmed by requests from the computers of supporters of the hacktivists. The group, which calls itself "Mrt. Izz ad-Din al-Qassam Cyber Fighters," has used social networks, including Goolge+; underground sites, and their own website to recruit sympathizers.
"I'm not surprised that there are thousands and thousands of people performing this type of DDoS," Mushtaq said.
[Related stories: Hacktivists strike U.S. Bank with volunteer-powered DDoS | Banks can only hope for best with DDoS attacks | Islamic hacktivists' bank attack claims gain credibility | Wells Fargo recovers after site outage | Theories mount on bank attacks, but experts stress defense | Arab hackers attack Western websites over film]
The hactivists have said that the attacks are in retaliation for a video trailer denigrating the Prophet Muhammad. The amateurish YouTube video made in the U.S. has sparked violent protests in the Middle East and other regions.
To participate in the hactivists' campaign, a supporter goes to one of two file-sharing sites and downloads a program written in a scripting language that runs in a web browser.
Once the program is running, a person only has to click on a "start attack" button to send continuous requests to the target's website. All of the traffic seen by FireEye has come from Web browsers, an indication that the attackers are not using a network of compromised machines, called a botnet. Such networks are also a popular method for launching distributed denial of service attacks, which are said to be crude but still effectve.
"The bad part about this attack is it's so simple," Mushtaq said. "They're not using any botnet. They're using browsers."
Rob Rachwald, director of security for Imperva, said an all-volunteer army launching such an attack is in unusual. Hacktivists often use a combination of supporters and botnets, he said. In addition, rather than try to overwhelm the bandwidth of a large bank, attackers often find a vulnerable component in the site first and target traffic to just that area.
While he hasn't monitored the recent attacks, Rachwald said he believes the attackers are much more sophisticated. An indication of that is the fact that the hactivists posted warnings in advance, naming the targeted banks. Nevertheless, the banks were unable to prevent disruption.
"It tells you that more than likely the attackers were pretty sophisticated," he said. "They're using some new technique, or variation of older techniques to bring the sites down."
None of the banks have given details of the attacks.
Ideologically motivated hacktivism was the primary motivation behind DDoS attacks last year, according to Arbor Networks' annual survey of Internet Service Providers. The number of high-bandwidth DDoS attacks increased significantly, with 25% exceeding the total bandwidth into a data center.
At the same time, there are a variety of DDoS attack tools and services available in the underground, Arbor said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.