Islamic group expands targets in bank DDoS attacks

An Islamic group that launched a third wave of high-powered distributed denial-of-service (DDoS) attacks against U.S. banks in March has started targeting other financial organizations, including credit card companies and financial brokerages, security experts say.

The hacktivist group that calls itself Cyber Fighters of Izz ad-Din al-Qassam has been hammering U.S. banks since last September. The attacks have caused major disruptions in online banking, but have not resulted in system breaches or the theft of data.

With each new wave of attacks the group has shifted to other targets. The first wave, which lasted about six weeks from mid-September to mid-October, targeted mostly major financial institutions. Targets included Wells Fargo, U.S. Bank, Bank of America, JPMorgan Chase & Co. and PNC Bank. In the second phase, which went for seven weeks from December to late January, the attackers expanded to mid-tier banks and credit unions.

In the latest wave, which started Feb. 25 and is the longest so far, the attackers have gone beyond just banking institutions, which over the months have grown more adept at fending off the attackers, John Summers, vice president of Akamai Technologies’ security business, said Wednesday.

Akamai, whose clients include nine of the world’s top 10 banks, saw attacks against credit-card companies and financial brokerages, but declined to name them. In a Pastebin post, the Islamic group said Tuesday that it launched attacks last week against investment manager Principal Financial, financial planner Ameriprise, and financial services company State Street.

A DDoS attack took discount brokerage Charles Schwab & Co. offline for an hour Tuesday and intermittently on Wednesday. Schwab did not know who was behind the attack.

Along with expanding the type of targets, the attackers have grown more sophisticated. Rather than stick with flooding sites with network traffic, the attackers are directing their packets to the application layer reserved for secured communication protocols, which is where most of the banks’ online business is conducted. In the largest such attack so far, 30 gigabits per second of bogus traffic was sent over SSL, roughly 70 times the bank’s normal peak traffic, Summers said.

[Related earlier stories: Banks can only hope for the best with DDoS attacks | Wells Fargo recovers after site outage | Theories mount on bank attacks, but experts stress defense | Arab hackers attack Western websites over film | Best defense against cyberattacks is good offense, says former DHS official]

The Islamic group has also started doing pre-attack probing of sites that involve sending four- to six-minute bursts of 18 million requests a second to see if the site falters. If it does, then they come back a few days later with a full-scale assault.

“That sort of probe-based, pre-attack reconnaissance is something new that we’ve seen in the phase three section,” Summers said.

Given the group’s constant shift in targets and growing sophistication, security experts did not expect the attacks to end anytime soon. “All projecting current trends forward, it’s not clear they have any intention of stopping,” Summers said.

From the start, the attackers have used a botnet of Web servers compromised using the Brobot DDoS tool, also known as “itsoknoproblembro.” In March, the botnet was linked to DDoS attacks against three online role-playing sites used by gamers, BankInfoSecurity reported. The attacks led some security experts to speculate that either the botnet was hijacked or rented out.

Scott Hammack, chief executive of Prolexic, said the company has seen Brobot traffic used against energy companies and organizations in Europe. However, Hammack did not know who was behind the attacks, but believed it was more than one group.

“It’s difficult to say, but yes, that would be my guess,” he said.

The Islamic group claims they are acting in protest of a YouTube video mocking the Prophet Muhammad. They vow to continue the attacks until the video, called the Innocence of Muslims, is removed from the site. U.S. government officials have said they believe the attacks are originating from Iran.