Distributed denial-of-service attacks have continued to hamper the online operations of major financial institutions, but two reports shed light on the motivations of the attackers.
On Jan. 8, Internet security firm Incapsula released its analysis of a compromised server used in the attack on banks. The analysis concludes that the attackers continue to use compromised Web servers to fuel the attacks and suggests that a single group appeared to be using that particular server but was hiring it out to other attackers as well. The server, belonging to a new client of Incapsula, targeted banks but also targeted regular e-commerce sites, suggesting the owners may be hiring it out, said Ronen Atias, a security researcher with Incapsula’s Israeli research arm.
“The owner of the botnet-for-hire could be part of this terror group” attacking banks, he said. “But in order to fund itself, maybe they moonlight for financial gain.”
The Web server contained a backdoor that allowed a command-and-control server in Turkey to point the attacks at various banks, including PNC Bank, HSBC and Fifth Third Bank, the analysis stated.
Since the summer, massive distributed denial-of-service (DDoS) attacks have targeted financial institutions, but also other industries, say security experts. While the motives of the attackers are unclear, at least one group of claimed hacktivists has said the attacks are in retribution for the posting of a video on YouTube that insults the prophet Muhammad.
In their latest statement online, the pro-Muslim hacker group Izz ad-Din al-Qassam Cyber Fighters took credit for the ongoing attacks on banks and said it would continue the attacks for many months to come unless they video was pulled down.
“Despite the high cost of U.S. banks to deal with these attacks, the attacks cannot go under control and are unstoppable,” the group stated. “Dissatisfaction of customers of the banking services is increasing, but, by contrast, the banks’ responsibility about the disruptions of their activities is reducing day by day.”
Yet, a report in The New York Times Jan. 9 claimed that the U.S. government believes Iran to be behind the attacks.
For the most part, evidence of the attacks has been anecdotal. Alleged customers have complained online—at sitedown.co, for example—that accounts at certain banks are inaccessible. Some security firms have made general statements about the attacks, but the banks themselves have been mum on the details.
Because the attackers have aimed at the application servers that allow customers to access banking details rather than the public-facing Websites, external researchers have had trouble confirming the outages.
In its analysis, security firm Incapsula has investigated data uploaded to the server and found an unused script that resembled those used in the attacks. In addition, the company found that the attackers programmed the server to spread out its bursts of traffic over time, a sophisticated technique, said Mark Gaffan, co-founder of Incapsula.
“That is actually a smart strategy,” he said. “When a DDoS attack hits a target, it takes a site down, and there has to be human intervention to bring it back up. There is no point in continuing to hit a target when it’s down.”