Banking customers can expect that the latest wave of Distributed Denial of Service (DDoS) attacks against select institutions will continue into the new year, according to an announcement by the extremist group Izz ad-Din al-Qassam Cyber Fighters, who renewed operations against the financial sector two weeks ago after having ceased the attacks for nearly a month.
In the latest Pastebin message posted on Christmas day, the group vowed that "widespread attacks will be carried out on U.S. Banks like previous weeks" in protest of a controversial YouTube video. The attacks began in earnest in mid-September, and have resulted in intermittent downtime for online banking websites for almost a dozen of the biggest financial institutions in country, including U.S. Bancorp, JPMorgan Chase, Bank of America, PNC Financial Services Group, SunTrust, HSBC, Ally Bank, BB&T, Wells Fargo and Capital One.
In response to the second wave of attacks, the Office of the Comptroller of the Currency (OCC) issued an advisory last week for financial institutions and technology service providers which encouraged a proactive and cooperative effort to mitigate the effects of the attacks, stating:
"Banks need to have a heightened sense of awareness regarding these attacks and employ appropriate resources to identify and mitigate the associated risks. Preparations may include ensuring sufficient staffing for the duration of DDoS attacks in conjunction with pre-contracted third-party servicers that can assist in managing the Internet-based traffic flow. Additionally, banks should ensure that their incident response effectively involves the appropriate personnel across multiple lines of business and external partners. Banks should also consider conducting due diligence reviews of service providers, such as ISPs and Web-hosting servicers, to ensure they have taken the necessary steps to identify and mitigate the risks stemming from potential DDoS attacks."
The OCC advisory also reiterated warnings that the DDoS operations could be used in conjunction with attacks designed to facilitate fraudulent wire transfers, as had been suspected during the first round of attacks by the Izz ad-Din al-Qassam Cyber Fighters.
"Fraudsters also use DDoS attacks to distract bank personnel and technical resources while they gain unauthorized remote access to a customer’s account and commit fraud through Automated Clearing House (ACH) and wire transfers (account takeover). In this scenario, the DDoS can occur immediately before, during, or after the attack," the advisory stated.
Suspicions that the attacks may be part of a larger “mega-heist” at the hands of Russian criminal networks first arose after the initial DDoS attacks this fall. On September 19, the Financial Services – Information Sharing and Analysis Center FS-ISAC had warned member institutions to be vigilant after having received “credible intelligence regarding the potential for DDoS and other cyber attacks” aimed at the financial sector.
The advisory was issued just one day after FS-ISAC, the FBI and the Internet Crime Complaint Center (IC3) jointly published an alert warning of an uptick in the targeting of financial institution employee network access credentials in an attempt to conduct fraudulent wire transfers. “The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer,” the IC3 advisory stated.
No concrete evidence has emerged to connect the DDoS attacks by the Izz ad-Din al-Qassam Cyber Fighters to efforts to take over accounts or or pilfer funds, but "the OCC expects banks that are victims of or adversely affected by a DDoS attack to report this information to law enforcement authorities and to notify their supervisory office. Additionally, banks should voluntarily file a Suspicious Activity Report (SAR) if the DDoS attack affects critical information of the institution including customer account information, or damages, disables or otherwise affects critical systems of the bank," according to the OCC advisory.
To better defend against the threats posed by DDoS attacks, IT-Harvest’s Richard Stiennon recommends organizations consider deploying innovative solutions now available on the market, noting that a first line of defense often is needed to filter unwanted traffic before it ever reaches the targeted network. “Why not deploy an intelligent appliance behind the router and in front of the firewall? Filter out all the junk before you expend any resources in your firewall, or log all the events with your IDS/SEIM. Reduce your need for multiple servers and load balancers,” Stiennon said.
Organizations concerned about the potential for exposure to DDoS attacks are encouraged to take a free DDoS preparedness assessment test which provides a customized evaluation and subsequent recommendations based on answers to a short questionnaire. The DDoS assessment can be conducted in a matter of minutes by following the instructions here: DDoS Preparedness Test.