The hacktivist group, which has been hammering U.S. banks since late last year, has now expanded attacks to other financial services companies An Islamic group that launched a third wave of high-powered distributed denial-of-service (DDoS) attacks against U.S. banks in March has started targeting other financial organizations, including credit card companies and financial brokerages, security experts say.The hacktivist group that calls itself Cyber Fighters of Izz ad-Din al-Qassam has been hammering U.S. banks since last September. The attacks have caused major disruptions in online banking, but have not resulted in system breaches or the theft of data.With each new wave of attacks the group has shifted to other targets. The first wave, which lasted about six weeks from mid-September to mid-October, targeted mostly major financial institutions. Targets included Wells Fargo, U.S. Bank, Bank of America, JPMorgan Chase & Co. and PNC Bank. In the second phase, which went for seven weeks from December to late January, the attackers expanded to mid-tier banks and credit unions.In the latest wave, which started Feb. 25 and is the longest so far, the attackers have gone beyond just banking institutions, which over the months have grown more adept at fending off the attackers, John Summers, vice president of Akamai Technologies’ security business, said Wednesday. Akamai, whose clients include nine of the world’s top 10 banks, saw attacks against credit-card companies and financial brokerages, but declined to name them. In a Pastebin post, the Islamic group said Tuesday that it launched attacks last week against investment manager Principal Financial, financial planner Ameriprise, and financial services company State Street.A DDoS attack took discount brokerage Charles Schwab & Co. offline for an hour Tuesday and intermittently on Wednesday. Schwab did not know who was behind the attack. Along with expanding the type of targets, the attackers have grown more sophisticated. Rather than stick with flooding sites with network traffic, the attackers are directing their packets to the application layer reserved for secured communication protocols, which is where most of the banks’ online business is conducted. In the largest such attack so far, 30 gigabits per second of bogus traffic was sent over SSL, roughly 70 times the bank’s normal peak traffic, Summers said.[Related earlier stories: Banks can only hope for the best with DDoS attacks | Wells Fargo recovers after site outage | Theories mount on bank attacks, but experts stress defense | Arab hackers attack Western websites over film | Best defense against cyberattacks is good offense, says former DHS official]The Islamic group has also started doing pre-attack probing of sites that involve sending four- to six-minute bursts of 18 million requests a second to see if the site falters. If it does, then they come back a few days later with a full-scale assault.“That sort of probe-based, pre-attack reconnaissance is something new that we’ve seen in the phase three section,” Summers said.Given the group’s constant shift in targets and growing sophistication, security experts did not expect the attacks to end anytime soon. “All projecting current trends forward, it’s not clear they have any intention of stopping,” Summers said.From the start, the attackers have used a botnet of Web servers compromised using the Brobot DDoS tool, also known as “itsoknoproblembro.” In March, the botnet was linked to DDoS attacks against three online role-playing sites used by gamers, BankInfoSecurity reported. The attacks led some security experts to speculate that either the botnet was hijacked or rented out. Scott Hammack, chief executive of Prolexic, said the company has seen Brobot traffic used against energy companies and organizations in Europe. However, Hammack did not know who was behind the attacks, but believed it was more than one group.“It’s difficult to say, but yes, that would be my guess,” he said.The Islamic group claims they are acting in protest of a YouTube video mocking the Prophet Muhammad. They vow to continue the attacks until the video, called the Innocence of Muslims, is removed from the site. U.S. government officials have said they believe the attacks are originating from Iran. Related content news analysis DHS unveils one common platform for reporting cyber incidents Ahead of CISA cyber incident reporting regulations, DHS issued a report on harmonizing 52 cyber incident reporting requirements, presenting a model common reporting platform that could encompass them all. By Cynthia Brumfield Sep 25, 2023 10 mins Regulation Regulation Regulation news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe