Attackers have targeted financial institution websites with distributed denial of service (DDoS) attacks that are designed to render sites unavailable to legitimate customers. The attackers claim to be politically motivated and protesting proposed legislation in the United States related to intellectual property and copyright laws. However, because of the distributed nature of the attacks, there is no single source that can be attributed to the attacks. The financial institutions are considered critical infrastructure, and the attacks have the attention of the U.S. presidential administration and Congress and are currently under investigation by the U.S. Federal Bureau of Investigation (FBI). The Financial Services Information Sharing and Analysis Center (FS-ISAC
) and FBI have issued warnings to the financial sector. The attacks were also included in the Cisco Cyber Risk Reports for September 17–23
and September 24–30
, 2012, with additional analysis and hyperlinks to media reporting.
A DDoS attack aims to overwhelm a targeted site's capacity to process and respond to requests, with the desired result of rendering the website completely unavailable. Depending on the capacity of the targeted site or its capability to filter requests, a DDoS attack may use specially formatted requests that are designed to make a targeted site consume even more resources in responding to any given request, furthering the aims of the attack.
Several different types of traffic have been observed as part of the DDoS attacks. The attacks have sent large numbers of network packets to TCP port 53 (DNS) or 80 (HTTP) in an attempt to exhaust available allowed network connections. Other types of traffic have requested predetermined web pages from the targeted websites to overwhelm the targeted web servers. As a result of the attacks, several financial services websites, including those of Bank of America, JPMorgan Chase, MasterCard, PNC Bank, U.S. Bank, Visa, and Wells Fargo, were unavailable for periods of minutes or hours. Financial services websites have been targeted in new attacks, including previously targeted Bank of America and JPMorgan Chase and new targets PNC, SunTrust, and U.S. Bancorp.
On March 12, six U.S banking institutions experienced DDoS attacks perpetrated by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters during its third phase of attacks known as Operation Ababil Phase 3. The group claims the reason it attacked the U.S. banking institutions was due to a Youtube video deemed offensive to Muslims. These attacks are evolving and the bot used, known as Brobot, had a significant infection rate which could give the attackers more resources to conduct further attacks. The encrypted attacks have become more refined, and coupled with the increased infection rate of Brobot, could allow the attackers the ability to attack multiple institutions at once. As a result of the attacks, this phase could be considered to be more disruptive than the previous waves of attacks; however, larger banking institutions have been able to defend themselves or minimize the impact of Brobot.
Although DDoS attacks are used as an attempt to disrupt services and render websites unavailable to legitimate users, reports indicate that the Office of the Comptroller for the Currency issued a warning concerning these DDoS attacks, and the possibility that the attacks could be used to mask fraud occurring in the background.
DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services.
Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks
Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions