The number of financial institutions whose websites are being targeted by cyber attacks continues to grow in the weeks following a security advisory issued by the Financial Services – Information Sharing and Analysis Center (FS-ISAC) which warned of increased threats.
Institutions which experienced significant website downtime in recent days caused by Distributed Denial of Service (DDoS) attacks now include Wells Fargo, US Bank and PNC, in addition to Bank of America, JPMorgan Chase, and the New York Stock Exchange, which were targeted last week.
An Islamic extremist group called Izz ad-Din al-Qassam Cyber Fighters is claiming responsibility for the campaign, which has caused some minor inconveniences for online banking customers, though most services were restored by the affected banks in a matter of hours and there have have been no reports of customer or corporate data loss.
During network-layer DDoS attacks, a large number of requests are sent to a web server at such high frequency that they overwhelm the processing capacity and cause the system to reset or shut down altogether.
The net effect is that the server can no longer operate correctly and the targeted website is rendered unusable. It is increasingly the method of attack for hackers who want to bring down a site – often at very little expense. Any company or organization that relies on the Internet for its business is a target. Traditional network-layer DDoS attacks are generally low-tech and easy to carry out. In addition, there is a new variant of DDoS attacks, low and slow, which fall beneath the bandwidth radar consumption making them hard to identify and mitigate.
On Wednesday, September 19, the FS-ISAC had warned member institutions to be vigilant after having received what was described as “credible intelligence regarding the potential for DDoS and other cyber attacks” aimed at the financial sector.
The FS-ISAC, an industry forum for collaboration on security measures, had also heightened the current financial services threat level from “elevated” to “high.” In addition to threats from DDoS attacks, institutions were also warned that a zero-day vulnerability in Microsoft’s Internet Explorer was is actively being exploited.
“Members should maintain a heightened level of awareness, apply all appropriate updates and update AV and IDS/IPS signatures, and ensure constant diligence in monitoring and quick response to any malicious events,” the FS-ISAC stated on its website.
The advisory was issued just one day after FS-ISAC, the FBI and the Internet Crime Complaint Center (IC3) jointly published an alert warning of an uptick in the targeting of financial institution employee network access credentials in an attempt to conduct fraudulent wire transfers.
Intelligence from the FBI indicated several instances of wire fraud have been attributed to the use of social engineering tactics being employed in conjunction with several malware tools delivered through exposure to spear-phishing emails.
“The actor(s) primarily used spam and phishing e-mails to target their victims. Once compromised, key loggers and RATs installed on the financial institution employee’s computer provided the actor(s) with complete access to internal networks and logins to third party systems. Variants of ZeuS malware were used to steal the employee’s credentials in a few reported incidents,” the alert stated.
Authorities also suspect that botnet-controlled distributed DDoS attacks are being used as a diversionary tactic in unison with the spear-fishing campaign. “The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer. One botnet that has been used for this type of distraction is the Dirtjumper botnet,” the advisory continued.
It is unclear at this point whether the latest attacks are connected to the instances of wire fraud identified by the FBI, and some high ranking officials have indicated they think the attacks may be state-sponsored due to their sophisticated nature.
Senator Joe Lieberman stated he believes Iranian government forces may be responsible for the continued assault on the financial institutions. “I don’t believe these were just random hackers. I think this was done by Iran and the Quds Force, which has its own developing cyberattack capability,” Lieberman said on C-SPAN.
Many security experts point out the difficulty involved in accurate attribution. Proxies, routing tricks, compromised systems, and spoofed IP addresses can be easily coordinated to give the appearance that an attack is originating far from the actual source.
In many cases, it is nearly impossible to clearly determine the origin of an attack, and even more difficult to ascertain if the event was state-sponsored or instigated by individual actors.