Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield: Security Activity Bulletin
2012 October 01 20:47 GMT
2013 March 26 16:29 GMT
Additional information is available regarding new attacks against financial institutions.
Attackers have targeted financial institution websites with distributed denial of service (DDoS) attacks that are designed to render sites unavailable to legitimate customers. The attackers claim to be politically motivated and protesting proposed legislation in the United States related to intellectual property and copyright laws. However, because of the distributed nature of the attacks, there is no single source that can be attributed to the attacks. The financial institutions are considered critical infrastructure, and the attacks have the attention of the U.S. presidential administration and Congress and are currently under investigation by the U.S. Federal Bureau of Investigation (FBI). The Financial Services Information Sharing and Analysis Center (FS-ISAC) and FBI have issued warnings to the financial sector. The attacks were also included in the Cisco Cyber Risk Reports for September 17–23 and September 24–30, 2012, with additional analysis and hyperlinks to media reporting.
A DDoS attack aims to overwhelm a targeted site's capacity to process and respond to requests, with the desired result of rendering the website completely unavailable. Depending on the capacity of the targeted site or its capability to filter requests, a DDoS attack may use specially formatted requests that are designed to make a targeted site consume even more resources in responding to any given request, furthering the aims of the attack.
Several different types of traffic have been observed as part of the DDoS attacks. The attacks have sent large numbers of network packets to TCP port 53 (DNS) or 80 (HTTP) in an attempt to exhaust available allowed network connections. Other types of traffic have requested predetermined web pages from the targeted websites to overwhelm the targeted web servers. As a result of the attacks, several financial services websites, including those of Bank of America, JPMorgan Chase, MasterCard, PNC Bank, U.S. Bank, Visa, and Wells Fargo, were unavailable for periods of minutes or hours. Financial services websites have been targeted in new attacks, including previously targeted Bank of America and JPMorgan Chase and new targets PNC, SunTrust, and U.S. Bancorp.
On March 12, six U.S banking institutions experienced DDoS attacks perpetrated by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters during its third phase of attacks known as Operation Ababil Phase 3. The group claims the reason it attacked the U.S. banking institutions was due to a Youtube video deemed offensive to Muslims. These attacks are evolving and the bot used, known as Brobot, had a significant infection rate which could give the attackers more resources to conduct further attacks. The encrypted attacks have become more refined, and coupled with the increased infection rate of Brobot, could allow the attackers the ability to attack multiple institutions at once. As a result of the attacks, this phase could be considered to be more disruptive than the previous waves of attacks; however, larger banking institutions have been able to defend themselves or minimize the impact of Brobot.
Although DDoS attacks are used as an attempt to disrupt services and render websites unavailable to legitimate users, reports indicate that the Office of the Comptroller for the Currency issued a warning concerning these DDoS attacks, and the possibility that the attacks could be used to mask fraud occurring in the background.
DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services.
Version 3, December 13, 2012, 10:49 AM: Additional information is available regarding new attacks against financial institutions.
Version 2 October 4, 2012, 5:45 PM: Cisco Security Research Operations has released an Applied Mitigation Bulletin to address the ongoing distributed denial of service attacks.
Version 1, October 1, 2012, 4:47 PM: Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service attacks, decreasing availability of those sites to legitimate customers.
The security vulnerability applies to the following combinations of products.
Security Activity Bulletin
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.