Hacktivists Threaten More DDoS Attacks

Banking Institutions Warned to Look Out for Fraud

By Tracy Kitten, February 13, 2013. Follow Tracy @FraudBlogger

Credit Eligible

• 
• 
• 

The hacktivist group Izz ad-Din al-Qassam Cyber Fighters, in a Feb 12 posting, warns that its distributed-denial-of-service attacks against U.S. banks and credit unions could resume soon. The group had announced on Jan. 29 a suspension of its attacks.

Security experts warned, even before the latest posting, that more DDoS attacks against banking institutions were likely, saying the hacktivist group's reasons for suspending the attacks seemed suspicious. Evidence also suggests the botnet used in the attacks continues to grow.

Rodney Joffe, a senior technologist for online security provider Neustar Inc., says the botnet has likely already been used against other industries in other global markets. And other security experts agree the attacks eventually could be used to conceal fraud.

As a result, banking institutions, as well as other organizations with a significant online presence, need to stay vigilant and committed to DDoS prevention.

The Office of the Comptroller of the Currency late in 2012 recommended that banks:

• Prepare for DDoS attacks by having sufficient staffing in place;
• File suspicious activity reports if DDoS attacks affect critical information, including customer account details, or if damage occurs to critical banking systems;
• Conform to the Federal Financial Institutions Examination Council's updated authentication guidance and implement layers of security;
• Provide accurate and timely communication to customers or members regarding website problems, risks and precautions.

Mixed Messages

On Jan. 29, Izz ad-Din al-Qassam CyberFighters announced plans to suspend its attacks against U.S. banks, citing as the reason the removal of YouTube's most popular link to a video deemed offensive to Muslims (see Hacktivists Suspend DDoS Attacks).

But in its latest Pastebin post, the hacktivist group says that unless other links to the video also are quickly removed, U.S. banking institutions are at risk of a resumption of attacks.

"We warn again that, remove the film copies till there is time and do not harden the situation for yourself and banks' online users," the group's post states.

New Attacks Anticipated

Many in the industry expected the suspension of attacks to be short-lived.

"Now is not a time for anyone to let their guard down simply because [hacktivists] said they've 'called off' the attacks," says a security officer at a midwestern community institution, who asked to remain anonymous. "In my mind, it just tells me they're planning something even bigger and more damaging."

Financial fraud consultant Al Pascual, an analyst with Javelin Strategy & Research, notes: "The industry should remain guarded, but other industries should take note, as Izz ad-Din al-Qassam could potentially change their primary target after sharpening their teeth on the financial industry."

Joffe of Neustar says evidence suggests the botnet already has been used in attacks beyond those striking U.S. banking institutions.

"The attacks against the banks started on Sept. 18," Joffe says. "However, we already saw the same malware being spread through an attack on Aug. 19. It's almost like an attack that's looking for a purpose. The video seems to have provided that purpose."

Joffe claims the same botnet used in recent DDoS campaigns against the U.S. financial sector was used in earlier attacks waged against different industries in different countries, although he declined to elaborate on the details.

The hacktivists' two attack campaigns against banks "all could just be a way of demonstrating the size and the capability of the botnet," he adds.

The sporadic nature of the attacks suggests criminal organizations are behind them, or that the hacktivists are more interested in leasing their botnet for profit than they are in making a political statement, he contends.

"It is quite possible that the controllers of the botnet are in business, and not notionally connected with the ultimate attackers, and are being paid by someone with a political motive," Joffe says.

• 1
• 2

Follow Tracy Kitten on Twitter: @FraudBlogger