The websites of major U.S. banks were attacked this week in an ongoing campaign that reflects the changing tactics used in distributed denial of service (DDoS) strikes, a security expert says.
The attackers, who call themselves the Izz ad-Din al-Qassam Cyber Fighters, launched attacks Tuesday against the websites of U.S. Bancorp, JPMorgan Chase & Co., Bank of America, PNC Financial Services Group and SunTrust Banks. The group, which has been targeting banks since September, warned of the latest assault on Pastebin the day before the attacks.
While the DDoS strikes failed to disrupt the banks' online operations, they did provide some important lessons for enterprises faced with such a threat, said Dan Holden, director of security research at Arbor Networks, which performs DDoS mitigation for some of the targeted banks.
First off, the attacks showed that perimeter defenses such as firewalls and intrusion prevention systems can filter traffic for malware, but are useless against today's complex DDoS attacks. Instead, corporations need on-premise technology that can provide up-to-the-minute information on an attack before it takes down a website or business application.
[See also: Largest banks under constant cyberattack, feds say]
Security providers that offload DDoS traffic generated to overwhelm a website need to take another look at their capacity levels, Arbor said. The latest bank attacks show perpetrators are capable of targeting multiple organizations in the same industry, which can strain the capacity of mitigation service providers.
Another lesson learned is over the changing tactics of attackers. DDoS no longer means just flooding a site with traffic. Instead, attackers like the ones targeting the banks are bombarding sites to divert attention away from the application layer, so they can look for vulnerabilities more susceptible to a targeted attack.
"The big lesson learned on the enterprise side is the fact that application DoS can still take you out, even if the traffic is mitigated," Holden said.
The focus on web applications has changed the profile of attackers. "While these [bank attacks] are not the most sophisticated attacks in the world, it's obvious these guys are fluent in the web application side of things, as well as the DDoS side," Holden said.
The application layer attacks were on HTTP, HTTPS and DNS, while the large-scale traffic was on a variety of Internet protocols, including TCP, UDP and ICMP, Arbor said. Login pages or any other page where data is submitted are favorite application targets on banking sites.
The Cyber Fighters launch their attacks from servers with PHP-based web applications that have been compromised, as well as WordPress sites using the out-of-date TimThumb plugin. Poorly maintained sites are easy targets for deploying attack tools.
With the exception of a few tweaks in the latest attacks, the tools used against the banks since September have been similar. The most prominent attack tool is one called Brobot, also called itsoknoproblembro, Arbor said. Two other tools used less often are KamiKaze and AMOS.
So far, none of the attacks have been catastrophic. Interruptions have been brief and intermittent, at best.
The perpetrators and their motive remain unclear. The group has claimed it is protesting YouTube video trailers denigrating the Prophet Muhammad. The crude trailers promoted an amateurish film called the "Innocence of Muslims," and sparked violent protests in many Muslim countries.
The sophistication of the attacks indicates more than just a grassroots campaign. Theories on the motivation include Iran striking back for U.S.-led economic sanctions and cybercriminals trying to distract banks from noticing fraudulent wire transfers.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.