DDoS Attacks on Major Banks Causing Problems for Customers

Customers of Wells Fargo, Citibank and Bank of America have had problems accessing their accounts online due to denial-of-service attacks, but the extent of the attacks is unclear.

A number of major banks have endured massive distributed denial-of-service attacks for much of December, with customers from Wells Fargo, Citibank and Bank of America reportedly complaining that they were unable to access the banks' Websites toward the end of the month.

Despite defenders adapting to new attack techniques, the denial-of-service attacks that started earlier in December have had some success in keeping customers from accessing their accounts online. On Dec. 21, the U.S. Treasury Department warned that a number of groups were using denial-of-service attacks to slow financial institutions' responses to account fraud.

"Recently, various sophisticated groups launched distributed denial-of-service [DDoS] attacks directed at national banks and federal savings associations," the Office of the Comptroller of the Currency, part of the U.S. Treasury Department, said in the alert.

"Each of the groups had different objectives for conducting these attacks, ranging from garnering public attention to diverting bank resources while simultaneous online attacks were under way and intended to enable fraud or steal proprietary information."

On Dec. 25, a pro-Muslim hacker group, using the name Izz ad-Din al-Qassam Cyber Fighters, stated in a post on Pastebin that they would continue their attacks against a variety of banks this week, calling for the U.S. government to take down a video that insulted the prophet Muhammad.

"By understanding the caused problems for ordinary customers, we frequently do apologize for the disruptions in their financial transactions," the group stated. "We suggest that U.S. government and the banks should seek a logical and easy solution instead of spending big to deal with these attacks."

SiteDown.com, a Website for registering outage complaints, lists Bank of America, Citibank and Wells Fargo as having 470, 467 and 50 complaints, respectively, registered in the past week. The service does not investigate the complaints itself, which could lead to fraudulent reports.

However, eWEEK confirmed that Citibank had repeated issues with accessibility since the beginning of this week. While the bank's site was accessible, repeated errors would appear following customer log-in. Citibank did not immediately return requests for comment.

Wells Fargo's customers could not access their online accounts for much of last week, according to a Dec. 24 Reuters report. A spokesperson for the bank did not confirm the issues, but provided a statement via email.

"We have significant efforts in place to ensure our online and mobile channels remain available and operational so we can service our customers' financial needs," the spokesperson stated. "We constantly monitor the environment, assess potential threats and take action as warranted."

Bank of America, PNC Bank and SunTrust reportedly had accessibility issues earlier this month, following the Izz ad-Din al-Qassam Cyber Fighters' original pledge to attack the banks.

The U.S. Treasury and security experts have warned that many denial-of-service attacks are a way to hinder banks' response to online account theft, and that banks should not assume that such attacks are politically motivated.

"Fraudsters also use DDoS attacks to distract bank personnel and technical resources while they gain unauthorized remote access to a customer's account and commit fraud through Automated Clearing House (ACH) and wire transfers," the agency stated.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...