A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000. At approximately midday on December 24, 2012, organized cyber crooks began moving money out of corporate accounts belonging to Ascent Builders , a construction firm based in Sacramento, Calif. In short order, the company’s financial institution – San Francisco-based Bank of the West — came under a large distributed denial of service (DDoS) attack, a digital assault which disables a targeted site using a flood of junk traffic from compromised PCs. KrebsOnSecurity contacted Ascent Builders on the morning of Dec. 26 to inform them of the theft, after interviewing one of the money mules used in the scam. Money mules are individuals who are willingly or unwittingly recruited to help the fraudsters launder stolen money and transfer the funds abroad. The mule in this case had been hired through a work-at-home job offer after posting her resume to a job search site, and said she suspected that she’d been conned into helping fraudsters. Ascent was unaware of the robbery at the time, but its bank would soon verify that a series of unauthorized transactions had been initiated on the 24th and then again on the 26th. The money mule I spoke with was just one of 62 such individuals in the United States recruited to haul the loot stolen from Ascent . Most of the mules in this case were sent transfers of between $4,000 and $9,000, but several of them had bank accounts tied to businesses, to which the crooks wired huge transfers from Ascent’s account; five of the fraudulent transfers were for amounts ranging from $80,000 to $100,000. Mark Shope , president of Ascent Builders, said that when the company’s controller originally went online on the morning of Dec. 24 to check the firm’s accounts, her browser wouldn’t let her access the bank’s page. She didn’t know it at the time, but her computer was being remotely controlled by the attackers’ malware, which blocked her from visiting the bank’s site. “It said the bank was offline for 24 hours, and we couldn’t get in to the site,” Shope said. “We called the bank and they said everything was fine.” But soon enough, everything would not be fine from Bank of the West’s end. Not long after putting through a batch of fraudulent automated clearing house (ACH) and wire transfers from Ascent’s accounts, the fraudsters initiated a DDoS attack against the bank’s Web site, effectively knocking it offline. It’s not clear what tactics or botnets may have been used in the DDoS attack, but the cyberheist+DDoS approach matches the profile of cybercrime gangs using the Gameover Trojan – a ZeuS Trojan variant that has been tied to numerous DDoS attacks initiated to distract attention from high-dollar cyberheists. Shope said the FBI is actively investigating the breach. The FBI declined to comment for this story. Bank of the West also did not respond requests for comment. But a law enforcement source working the case and speaking on condition of anonymity confirmed that the bank was subjected to a DDoS attack at the time of the robbery. The law enforcement official added that Ascent may not have been the only victim that day at Bank of the West, and that several other businesses and banks in the local area had been similarly robbed on or around Christmas Eve. Shope said Bank of the West has been able to claw back about half of the stolen funds, and expects to recover a great deal more. He said many of the bigger fraudulent transfers went to other businesses. For example, one of the mules was either running or working at a Hertz equipment rental franchise on the East Coast, and had called Ascent Builders to complain after the bank discovered the fraud and began clawing back large transfers. That mule, apparently unaware he was helping thieves launder stolen money, was calling to find out what happened to his $82,000. “We got a call from a Hertz rental equipment company back east, and they said “Why did you take this deposit out of our account?’ Shope recalled. “I asked him what he thought it was for, and he said, “Oh, this was for some equipment that we were purchasing for you guys from Russia, and we already sent the money on [to Russia], so what’s going on?”‘ A few thoughts about this attack. If you run a business and suddenly find yourself unable to log in to your commercial account, pick up the phone and call your bank to inquire about any recent money transfer activity. Very often, malware that thieves use to steal banking passwords in these cyberheists will also redirect the victim to an error page that says the bank’s site is down for maintenance. If this happens to you, call your bank and ask them to check your accounts (don’t trust a customer service phone number offered on a “down for maintenance” page; call the number on your bank card or search online for the institution’s customer service number). Also, get educated about the risks of banking online with a business account, and then take steps to make sure your organization isn’t the next victim. Regulation E limits the liability for consumers who lose money due to unauthorized account activity online (provided they notify their financial institution of the fraudulent activity within 60 days of a statement). Businesses do not enjoy such protections, although a couple of recent court cases brought by cyberheist victims against their banks have gone in favor of the businesses, suggesting that banks may find it increasingly difficult to disavow financial liability in the wake of these attacks going forward. Finally, consider banking online with a dedicated system. This among several recommendations I include in a short list of other tips that small businesses should consider when banking online.
Tag Archives: denial of service attack
The multiple faces of Distributed Denial of Service (DDoS) Attacks
According to Stratecast, DDoS attacks are increasing in number by 20 per cent to 45 pc annually Google, Microsoft, Apple, PayPal, Visa, MasterCard… many of the world’s largest websites have all been victims of Distributed-Denial-of-Service (DDoS) attacks. A DDoS attack consists in having a multitude of systems attack a single target in an attempt to make its resources unavailable to its intended users. During the last decade, the number of DDoS attacks has increased and their motivations and targets have evolved. Karine de Ponteves, FortiGuard AV analyst at Fortinet, traces the evolution of these attacks. Early 2000: Into the spotlight Although we can’t be sure when the first real DDoS attack occurred, the first large-scale distributed attack (DDoS) happened in 1999, against the IRC server of the University of Minnesota. 227 systems were affected and the attack left the university’s server unusable for two days. In February 2000, many popular websites including Yahoo!, eBay, CNN and Amazon.com, were paralyzed for hours. Yahoo! suffered a loss of $500,000 during its three hours of downtime, while the volume of activity of the CNN.com site dropped by 95%. The downtime loss was huge. A 15-year old Canadian known as “Mafiaboy” was arrested and charged for the attacks. His motivation? Defiance. This teenager just wanted to show off his skills. To do so, he scanned a network to find a number of vulnerable hosts; compromised the hosts by exploiting a known vulnerability; deployed software turning the host into a “zombie”; and then propagated the attack so that each zombie would in their turn compromise new targets, following the same process. 2005: A lucrative attack In the early 2000s, in order to create a botnet to launch a DDoS attack, the hacker would have to follow the same steps as the ones used by Mafiaboy. With the advent of Internet worms, those steps became automated, enabling a hacker to trigger large-scale attacks. In August 2005, 18-year-old Farid Essabar, who had never studied computer programming, was arrested for the spread of the MyTob worm. The worm would open a backdoor on the infected MS Windows host, connecting to a remote IRC server and waiting for commands. It would self-propagate at reboot copying itself over network shares, opening the door to massive DDoS attacks with all the hosts compromised by the worm and executing the commands sent over IRC. The outbreak was covered live on CNN as the TV channel own computers network became infected. What were the intentions this time? Not to actually disrupt corporate networks, but to extort thousands of dollars from companies by threatening to target DDoS attacks to their networks. Quickly, the targeted enterprises decided to pay the extortionists rather than deal with the consequences of a DDoS attack. 2010: DDoS and hacktivism In 2010, mainstream media extensively reported high-profile DDoS attacks motivated by political or ideological issues such as the well-publicized Wikileaks/Anonymous series of incidents. That year, attackers dramatically increased attack volumes, and, launched for the first time attacks breaking the 100Gbps barrier, which represents about 22,000 times the average bandwidth of an Internet user in the U.S. in 2010. In December, Wikileaks came under intense pressure to stop publishing secret United States diplomatic cables. In response, the Anonymous group announced its support, and termed Operation Payback the series of DDoS attacks it led against Amazon, PayPal, MasterCard and Visa in retaliation of the anti-Wikileaks behavior. These attacks caused both MasterCard and Visa’s websites to be brought down on December 8th. The tool behind the Anonymous/Wikileaks attacks is called the Low Orbit Ion Cannon (LOIC). Although it was originally an open-source load-testing tool, designed to conduct stress tests for web applications, it was in that case used as a DDoS tool. 2012 and beyond: The acceleration of application-layer based attacks Although there are many different attack methods, the DDoS attacks can be generally classified into two categories: Volumetric attacks: Flood attacks saturate network bandwidth and infrastructure (e.g.: UDP, TCP SYN, ICMP). Application-layer attacks: These attacks are designed to target specific services and exhaust their resources (HTTP, DNS). Because they use less bandwidth, they are harder to detect. The ideal situation for application-layer DDoS attacks is where all other services remain intact but the webserver itself is completely inaccessible. The Slowloris software was born from this concept, and is therefore relatively very stealthy compared to most flooding tools. According to Stratecast, DDoS attacks are increasing in number by 20% to 45 pc annually, with application-based DDoS attacks increasing in the triple digits levels. The trend toward application-layer DDoS attacks is clear, and unlikely to reverse. This trend is not, however, an indication that network-layer or flow-based, volumetric attacks will cease. On the contrary, both types of attacks will combine to be more powerful. The 2012 Verizon Data Breach Investigations Report reveals that several high profile application-layer DDoS attacks hiding behind volumetric attacks were used to obscure data theft efforts, proving that multi-vector attacks are now used to hide the true target of the attack. DDoS attacks are growing in frequency and severity while, in parallel, the means to launch an attack are simplified and the availability of attacker tools increases. In addition, the complexity of these attacks is increasing due to their polymorphic nature as well as the development of new tools to obfuscate their true nature. As a result, traditional methods of detection are often useless and mitigation gets more difficult. With such evolution, it is essential that organizations revise their security posture and make sure they have the right defenses in place to be protected against DDoS attacks. Here, the main challenge is to have sufficient visibility and context to detect a wide range of attack types without slowing the flow and processing of legitimate traffic; and then to mitigate the attack in the most effective manner. A multi-layer defense strategy is thus essential to enable granular control and protection of all components that are in the critical path of online activities. Source: http://www.ciol.com/ciol/experts/174422/the-multiple-ddos-attacks/page/2
See the original article here:
The multiple faces of Distributed Denial of Service (DDoS) Attacks
9 steps that help defend against Distributed Denial of Service (DDoS) Attacks
Most experts agree that agencies can’t defend against and mitigate the impact of denial of service attacks all by themselves, but there are step they can take to strengthen their defenses. Denial of service — DOS — is a blanket term for a variety of types of attacks, carried out in numerous ways, all directed at making online resources unavailable to the public. Attacks can be launched from multiple platforms, creating a distributed denial of service attack, or DDOS. Although they usually do not damage the target systems or compromise data, they can damage reputations, cost money and interfere with carrying out missions. Specifics will vary with each attack, but the U.S. Computer Emergency Readiness Team notes that, “In general, the best practice for mitigating DDOS attacks involves advanced preparation.” Some recommendations for advance preparation from US-CERT include: Develop a checklist for standard operating procedures to follow in the event of an attack, including maintaining a checklist of contact information for internal firewall teams, intrusion detection teams and network teams, as well as for service providers. Identify who should be contacted during an attack, what processes should be followed by each and what information is needed. ISPs and hosting providers might provide mitigation services. Be aware of the service-level agreement provisions. Identify and prioritize critical services that should be maintained during an attack so IT staff will know what resources can be turned off or blocked as needed to limit the effects of the attack. Ensure that critical systems have sufficient capacity to withstand an attack. Keep network diagrams, IT infrastructure details and asset inventories current and available to help understand the environment. Have a baseline of the daily volume, type, and performance of network traffic to help identify the type, target and vector of attack. Identify existing bottlenecks and remediation actions needed. Harden the configuration settings of the network, operating systems and applications by disabling unnecessary services and applications. Implement a bogon (bogus IP address) block list at the network boundary to drop bogus IP traffic. Employ service screening on edge routers where possible to decrease the load on stateful security devices such as firewalls. Separate or compartmentalize critical services, including public and private services; intranet, extranet, and Internet services; and create single-purpose servers for services such as HTTP, FTP, and DNS. Some additional advice for preparing yourself from Marc Gaffan, cofounder of Incapsula: Have the capacity to absorb additional traffic. It might be impractical to provision all the bandwidth needed, and the exact amount to have available will be a business decision. But a good rule of thumb would be to maintain about 150 percent of normally needed capacity. Maintain customer transparency. Ideally, people coming to the site shouldn’t know it is defending itself against an attack. “People don’t like to hang around where something bad is going on,” Gaffan said. And if a bogus connection is suspected, give the user a chance to verify. It might be impractical to use additional security such as Captcha verification for every connection during an attack, but don’t arbitrarily drop every questionable connection. Differentiate between legitimate automated traffic and DOS traffic. There can be a high volume of legitimate automated traffic generated by search engine crawls and management tools that should not be blocked. Knowing what this traffic looks like in advance can help identify DOS traffic. Be prepared to quickly identify and respond to DOS attacks so that defenses can be brought to bear quickly, minimizing downtime. For DDoS protection against your eCommerce site click here . Source: http://gcn.com/Articles/2013/01/24/9-steps-defend-against-DDOS.aspx?Page=2
Originally posted here:
9 steps that help defend against Distributed Denial of Service (DDoS) Attacks
DOSarrest Rolls Out New Website Monitoring Service
VANCOUVER, Jan. 22, 2013 /CNW/ – DOSarrest Internet Security announced a new website monitoring service today called the “ DOSarrest External Monitoring Service ” or “ DEMS ”. This new service is a real-time geographically distributed system, capable of monitoring a number of website performance metrics from three different geographic regions, every 60 seconds, utilizing six different sensors. This service may be purchased as a stand-alone product but is free for all DOSarrest customers that are subscribed to DOSarrest’s industry leading DDoS protection service. DOSarrest’s CTO, Jag Bains states “This is a must have if you’re using a CDN or are hosting some high-end, mission critical websites, and it’s a perfect fit for our fully managed DDoS protection service. This combined with our existing traffic metrics gives us and our customers the best visibility in the DDoS protection services arena.” Jag Bains adds “Although there are similar types of services available from third parties, our customers can also choose to have the DOSarrest support staff investigate, pin-point and advise the customer on a plan of action, 24/7/365. No such service exists today that offers this type of customer support”. Mark Teolis, GM of DOSarrest comments. “It’s a very intuitive and elegant design. I use it myself to view the status of all of our customers’ websites. At a glance and without a click, I can tell real-time if anyone is down from six different vantage points, and can easily drill down to a specific site and timeline of events for that site. Many Content Delivery Networks do not offer such a service to their customers. Their customers would have no idea if there was an issue accessing their website in a different region of the country or globe.” More information on this service can be found at: http://www.dosarrest.com/dems About DOSarrest Internet Security: DOSarrest founded in 2007 in Vancouver, BC, Canada is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services. Their global client base includes mission critical ecommerce websites in a wide range of business segments including financial, health, media, education and government. Their innovative systems, software and exceptional service has been leading edge for over 5 years now SOURCE: DOSarrest Internet Security Limited For further information: Brian Mohammed Director of Sales and Marketing Toll free CAN/US 888 818-1344 ext. 203 Toll Free UK 0-800-635-0551 ext. 203 Mobile: 416-434-6174 www.dosarrest.com Check out our video http://www.youtube.com/watch?v=mUs0vWYEIkQ
View article:
DOSarrest Rolls Out New Website Monitoring Service
The dark cloud over US bank Distributed Denial of Service (DDoS) Attacks
Some in the US point the finger at Iran. Another group called the Izz ad-Din al-Qassam Cyber Fighters, motivated by the US Government’s inability to remove an anti-Muslim video called the Innocence of Muslims, claimed responsibility for the recent Dedicated Denial of Service (DDoS) attacks which have brought down US banking sites since September. But the identity of the perpetrator behind these recent events is only of secondary concern in this story which has been gracing US headlines for months now. This is because at the moment, for the banks that were attacked, the problem all lies in the Cloud. Since September last year, the attack has affected some of the world’s biggest banking names including Wells Fargo, the Bank of America, Citigroup and HSBC. The attackers did not make away with personal data, or commit any form of fraud but they did move DDoS off of the PC and into the remote server, where they could push forth with new improved artillery, powered by faster performance and better and more network connections. Those who point the finger at Iran say their reason for blame lies in the sophistication of the attack, but security company Imperva’s CTO and co-founder Amichai Shulman says to some extent, launching an attack from the server, especially when the Cloud is involved, can be easier and even more importantly more cost effective. “Basically the attackers still use compromised PCs. They use these PCs to search for vulnerable servers and then exploit these, injecting code into the server so that from that time on, the attackers control the servers from a central location, usually behind an anonymizer,” Shulman says. If the attack only relied on PCs, Shulman says 10 to 100 times more compromised PCs would be required then servers to launch an attack of a similar magnitude. “It is more complex managing 100,000 PCs or even 10,000 than managing those compromised servers. Once they can reduce the management complexity they can reduce costs and increase their ability to launch operations on a more frequent basis.” According to security firm Radware’s VP of Security Solutions Carl Herberger, who was talking with the American Banker, banks have never seen such large-scale DDoS attacks. Radware has been working with banks and cloud computing providers following the attacks, which have risen with the increased uptake of cloud adoption by the financial services industry. Herbenger says one unnamed bank with enough internet capacity to handle 40bn bytes of data saw nearly twice that amount of traffic as a result of the DDoS onslaught. “The multiplying of the flood is unbelievable,” Herberger told American Banker. “Their servers, processors and offloading devices simply could not handle this problem.” Has this not been though of before? Security, you would think, will always be top of concern for a financial services player. But the Cloud has made security much more difficult a promise, according to both Shulman and Herberger. “Cloud increases the risk because it is easier to use by the attackers and harder to mitigate by the bankers,” Shulman says. Herberger says the main problem comes from banks’ leasing of cloud services, an approach that ties together the facilities of the banks and cloud computing providers. This makes it more difficult to block data from a particular internet address when an organization comes under cyber attack. He says eventually such attacks could be used for distraction for more malicious and fraudulent activity. Shulman says in the past, banks (which are no stranger to DDoS attacks) have overcome the DDoS threat by installing higher amounts of bandwidth. “But you cannot over allocate network bandwidth just because there might be the possibility of someone launching a large attack at some time. It is just too costly,” Shulman says. “The bank’s primary risk is its data set, or financial fraud, and they are well prepared for that. But this is another technique coming up, and the threat is a very real threat. One thing to remember though is that while these banks have suffered from the recent attacks, there wasn’t a single attack that actually took down one of the banking applications for an entire day.” A new challenge This could be good news but Shulman says in the world of the hacker it can also mean another challenge – and that, in the long run, means more persistent attacks. Shulman says Imperva has been studying this new trend in its own labs and that every day, he sees attackers targeting a new vulnerable type of server, often finding hundreds and thousands of potential victims. “They keep collecting compromised servers, and in some cases they will lose some – but it means for the industry overall there is clearly a higher risk,” Sulman says. Shulman says the recent attacks highlight the risk to anyone using a web service, right down to the small and medium-sized business user. “If you have a web server or web application in the enterprise, you are going to be the target of attackers, even if you don’t have valuable information in your server. Just having enough bandwidth and the server makes you a target,” In some instances the trade-off for added security, will have to be latency as data travels through more security. “The consequence could be that all traffic going in and out of a compromised server would eventually be blocked by security devices along the way,” Shulman says. The real question then – at least for now – will be how latency stands up to denied access when services are given a long-term view? For DDoS protection against your eCommerce site click here . Source: http://www.datacenterdynamics.com/focus/archive/2013/01/dark-cloud-over-us-bank-ddos-attacks
Excerpt from:
The dark cloud over US bank Distributed Denial of Service (DDoS) Attacks
Distributed Denial of Service (DDoS) Attacks: 2013 Predictions
During the last third of 2012, 10 major U.S. banks were the targets of powerful distributed-denial-of-service attacks apparently launched by a foreign hacktivist group. Some observers predict there will be many more DDoS attacks against financial institutions in 2013. They say hacktivists, organized crime rings and even nation states will be the perpetrators, working collaboratively in some cases and independently in others Financial fraud expert Avivah Litan, an analyst at Gartner Research, says the attacks will continue because they work, especially for criminals. “There is no reason for the criminals to stop,” Litan says. “They are getting away with them and not getting caught. These gangs will just keep escalating the attacks, up the ante and raise the stakes on the banks. The banks will have to find and implement solutions quickly. There really is no other choice.” DDoS attacks often will be used to disguise nefarious schemes aimed at stealing intellectual property and taking over accounts, especially when the attacks are waged against smaller institutions, regulators and security experts warn. John Walker , a member of ENISA’s security experts group and chair of ISACA’s Security Advisory Group in London, says banks won’t be able to fend off all of the attacks that are coming in the new year. “What we are seeing this year is just a tip in the ocean of what is planned for 2013,” he says. To prepare for continuing DDoS attacks, banking institutions should implement incident response strategies and involve staff across multiple lines of business, as well as external partners, regulators and experts say. Banks also should consider due diligence reviews of service providers, including Internet service providers and Web-hosting companies, to ensure they, too, have taken necessary steps to identify and mitigate risks associated with DDoS attacks. PNC, Others Take Hits Since September, the hacktivist group Iz ad-Din al-Qassam Cyber Fighters has grabbed headlines for two DDoS campaigns against banks. But so far, there’s been no evidence of fraud linked to these attacks. The hacktivist group announced Dec. 25 that yet another wave of attacks was coming as part of its second campaign In the latest development, PNC Financial Services, whose customers have suffered sporadic online access issues related to high volumes of traffic during both of the DDoS campaigns, reported it experienced minor site access issues late Dec. 27. But it did not link those issues to traffic connected with a DDoS attack. PNC spokeswoman Amy Vargo says some customers reported having trouble when trying to access the bank’s site during the afternoon of Dec. 27, but “this was a very short term and intermittent issue, and the systems were quickly restored to normal.” In a Dec. 10 post on Pastebin , Iz ad-Din al-Qassam Cyber Fighters announced plans for its second campaign, targeting PNC, U.S. Bancorp, Bank of America, JPMorgan Chase and SunTrust Banks. Since then, the group has posted two subsequent threats and has apparently hit all five targeted institutions as well as Wells Fargo and Citibank, part of Citigroup The hacktivist group says its waging the attacks in protest of a YouTube video deemed offensive to Muslims. The first campaign of attacks, which ran from mid-September to mid-October, targeted all of the institutions hit in the second campaign, as well as Regions Bank, HSBC Holdings and Capital One. Warning to Banks Some security experts, however, are questioning whether Pastebin posts being attributed to Izz ad-Din al-Qassam Cyber Fighters actually came from that group. Anyone could take credit for the posts and the attacks, says Mike Rothman of DDoS prevention provider Securosis. “We’ll likely see lots of folks claiming responsibility for attacks and many doing it to draw attention to their causes,” Rothman says. “Is it really one group or another? Hard to truly tell, and ultimately I don’t think it matters. The attacks will keep happening, sometimes for no apparent reason. Organizations need to be ready, and that doesn’t change, regardless of the adversary.” Smaller banking institutions not targeted by Izz ad-Din al-Qassam Cyber Fighters should guard against a false sense of security, says Bill Nelson , president and CEO of the FS-ISAC. “We saw a year ago that smaller banks and regional banks were being hit [by other DDoS attackers] and many were at a loss about why,” Nelson says. Eventually, investigators confirmed attempts to commit fraud in the background of those attacks. On Dec. 21, the Office of the Comptroller of the Currency issued an alert about the recent wave of DDoS attacks, noting that financial institutions had linked DDoS to fraud and the theft of proprietary information “These attacks by hacktivists are trying to strike terror,” Nelson says. “But cybercriminal groups have been attacking, too, off on their own launching cyberfraud. Rather than striking terror, they’re trying to make it more difficult to detect their fraud, and that’s the worry here.” Year Ahead Securosis’ Rothman says the recent waves of hacktivist attacks have drawn attention to the severity of the DDoS threat. “We have discovered a clear knowledge gap around the denial-of-service attacks in use today and the defenses needed to maintain availability,” Rothman writes in a November paper about DDoS prevention. “There is an all-too-common belief that the defenses that protect against run-of-the-mill network and application attacks will stand up to a DDoS. That’s just not the case.” Rothman says banking institutions of all sizes must start viewing DDoS attacks as instruments for multifaceted attacks. “It’s not news that some of the attackers have been using DDoS attacks to obscure ex-filtration activity,” Rothman says. “They basically work to divert the attention of the security folks with the DDoS while they steal data via other mechanisms.” Rothman says prevention steps recommended by the OCC just reiterate the obvious. “Financial institutions need to have risk management programs, and that would include tactics to mitigate against DDoS attacks as well as leveraging information-sharing networks to keep the flow of information going. If something bad happens, they need to report it and probably disclose it to customers.” Source: http://www.bankinfosecurity.com/ddos-attacks-2013-forecast-a-5396/p-2
View article:
Distributed Denial of Service (DDoS) Attacks: 2013 Predictions
Distributed Denial of Service (DDoS) Attacks on Major Banks Causing Problems for Customers
The websites of major U.S. banks are facing a new round of cyber attacks linked to the same group responsible for similar assaults earlier this year. The latest attacks started last week and have hit Bank of America Corp., SunTrust Banks Inc. (STI), JPMorgan Chase & Co. (JPM), U.S. Bancorp, Wells Fargo & Co. (WFC) and PNC Financial Services Group Inc. (PNC), according to two executives at companies providing security to some of the targeted banks, who asked for anonymity because they weren’t authorized to discuss clients and didn’t want their companies to become targets of computer assaults. PNC was under attack today, the executives said. A group calling itself Izz ad-Din al-Qassam Cyber Fighters announced plans to attack banks in a Dec. 10 statement posted on the website pastebin.com. The same group claimed responsibility for a series of distributed denial-of-service (DDoS) attacks in September and October that flooded bank websites with Internet traffic and caused disruptions and slowdowns for online customers. “The purpose of it is to try to disrupt or stop online banking access,” said Bill Nelson, president of the Financial Services Information Sharing and Analysis Center, which disseminates cyber threat information to the financial services industry. “There are some outages occasionally, but it hasn’t prevented customers from transacting business.” The Izz ad-Din group has said in Internet postings that the cyber attacks are in response to a video uploaded to Google Inc. (GOOG)’s YouTube ridiculing the Prophet Muhammad and offending some Muslims. Multiple Targets The current attacks, which began last week, involve the same tactics used in the earlier assault, harnessing commercial servers to pump traffic at bank websites and attacking applications including security devices such as firewalls or intrusion-detection systems, said Carl Herberger, a vice president at Radware Ltd. (RDWR), a Tel Aviv-based network security provider that is working with some of the banks. While the attackers targeted one bank per day in the previous campaign, they are hitting multiple banks in a single day this time, Herberger said. PNC, in a statement posted on its website, said it’s aware of the potential cyber threat, which could “make it difficult for our customers to log onto online banking.” “Please be assured that PNC’s website is protected by sophisticated encryption strategies that shield customer information and accounts,” the statement reads. “We have no information regarding timing, duration or intensity of this potential threat.” Slow Access Wells Fargo said its website was experiencing an unusually high volume of traffic, creating slow or intermittent access for some customers. “The vast majority of customers are not impacted, but for those who are, we encourage them to access their accounts through our stores, ATMs or by phone as we work to resolve the issue,” according to a statement e-mailed yesterday by Bridget Braxton, a Wells Fargo spokeswoman. Mark T. Pipitone, a Bank of America spokesman, declined to comment, as did Tom Kelly, a spokesman for JPMorgan. The attackers are changing their “signatures,” or techniques, every 7 to 10 minutes, requiring constant monitoring, said Scott Hammack, chief executive officer of Prolexic Technologies, a Hollywood, Florida-based company that provides protection from DDoS attacks. DDoS Attacks Denial-of-service attacks have long been a favored tactic of hacker-activists, and software kits to mount such assaults are available for purchase on the black market, Meaghan Molloy, a senior threat analyst at Mandiant Corp., an Alexandria, Virginia-based information-security firm, said in an e-mail. While the Izz ad-Din al-Qassam Cyber Fighters group said the attacks are in retaliation for the YouTube video, “it’s worth noting” that the Federal Bureau of Investigation last year warned that DDoS attacks were being used to deflect attention from fraudulent wire transfers from compromised bank accounts, Molloy said. Banks targeted in the current attacks are working with Internet-service providers and the U.S. government to share information on the tactics and techniques of the attackers, said Nelson, of the Financial Services Information Sharing and Analysis Center. Source: http://www.bloomberg.com/news/2012-12-20/major-banks-under-renewed-cyber-attack-targeting-websites.html
Read the original:
Distributed Denial of Service (DDoS) Attacks on Major Banks Causing Problems for Customers
National banking regulator advises on Distributed Denial of Service (DDoS) Attack deluge
The regulator for national banks issued an alert Friday about the apparent uptick in distributed denial-of-service (DDoS) attacks being waged against financial institutions. The note from the Office of the Comptroller of the Currency (OCC), which was addressed to the heads of national banks, federal branches and agencies, technology service providers and other related organizations, described how a recent wave of DDoS attacks are disrupting the availability of some bank websites. The spate seemed to kick off in early fall, and many top banks are still experiencing on-and-off attacks. “Each of these groups had different objectives for conducting these attacks, ranging from garnering public attention to diverting bank resources while simultaneous online attacks were underway and intended to enable fraud or steal proprietary information,” the alert said. The bulletin recommends that banks maintain a “heightened sense of awareness regarding these attacks” and ensure they are prepared to deal with them. That includes appropriating staff and third-party contractors to help thwart the attacks; implementing an incident response plan across various departments; and sharing information among affected organizations. In addition, because often the attacks target banks’ service providers, the OCC suggests that financial institutions review the response capabilities of their ISPs and web-hosting vendors. The alert also encourages banks that are sustaining a DDoS attack to remain in communication with customers, conveying any risks they face, as well as safeguards they can take. The OCC said banks should view their security in terms of risk management. But the alert also reminded institutions that they are obligated to follow the Federal Financial Institutions Examination Council (FFIEC) guidelines, which were updated in 2011 to address corporate account takeovers. Often, DDoS attacks run cover for attackers who are simultaneously logged in to victims’ bank accounts while fraudulently transferring out money from their accounts. Avivah Litan of research firm Gartner said in a blog post Friday that the alert shows the OCC is taking the threat seriously, and this will likely result in increased regulatory enforcement. “Some banks do spend enough on security – but many do not,” she wrote. “This will help ensure that all – and not just some – of the banks regulated by the OCC at least, are putting the requisite resources into defending against DDoS attacks and their attending damage.” Source: http://www.scmagazine.com/national-banking-regulator-advises-on-ddos-deluge/article/273769/
See original article:
National banking regulator advises on Distributed Denial of Service (DDoS) Attack deluge
Details of the complexity of a Distributed Denial of Service (DDoS) Attacks
DDoS‘s popularity as an attack method can be explained by how important availability is to most organizations’ ability to function. Availability is as critical to an organization today as electricity. If an organization is taken offline, it can lose the ability to generate revenue from its customers, or the ability to access cloud-based data and applications. And, if publicized, the downtime can damage its reputation and brand. Arbor Networks’ data, gathered from more than 240 service provider deployments, shows that, without question, DDoS attacks are getting bigger. Much bigger. Consider the statistics: The average attack in September was 1.67 Gbps, a 72-percent growth from September 2011. The number of mid-range attacks, ranging 2-10 Gbps, also has increased, up 14.35% so far in 2012. Very large attacks, 10 Gbps+, were up 90 percent during 2011. The largest attack this year measured 100.84 Gbps. Hackers seek out pain points for an organization, like maintaining availability, and look to exploit weaknesses in infrastructure and existing security defenses. From that perspective, DDoS is a great tool. There are three main categories of DDoS attack: Volumetric attacks These attacks attempt to consume the bandwidth either within the target network/service, or between the target network/service and the rest of the internet. These attacks are simply about causing congestion. Volumetric attacks first emerged in 2001 when Microsoft, eBay and Yahoo were taken offline by what back then was considered large attacks in the 300 Mbps range – a relatively low volume attack. With DDoS attacks now exceeding 100 Gbps, internet service providers are faced with new challenges of how to protect their networks and infrastructure. TCP state-exhaustion attacks These attacks attempt to consume the connection state tables that are present in many infrastructure components, such as load balancers, firewalls and the application servers themselves. Even high-capacity devices capable of maintaining state on millions of connections can be taken down by these attacks. Application layer attacks In 2010, there was a dramatic shift in DDoS, from primarily large volumetric attacks to smaller, harder-to-detect application-layer attacks that target some aspect of an application or service at Layer 7. These are the most sophisticated, stealthy attacks, as they can be very effective with as few as one attacking machine generating a low traffic rate (this makes these attacks very difficult to proactively detect and mitigate). ** Each of these attack types present unique challenges to network operators. The easiest attacks to mitigate are volumetric, which can be effectively mitigated by cloud-based managed security services. Attacks targeting existing infrastructure, and those that are “low-and-slow” targeting applications, are the most difficult to identify and mitigate. What makes DDoS such an effective weapon in recent years is the increasing complexity of attacks, the blending of attack types, targets and techniques. Take, for example, the recent attacks on financial institutions in the United States. These attacks used a combination of attack tools with vectors mixing application-layer attacks on HTTP, HTTPS and DNS with volumetric attack traffic on a variety of protocols including TCP, UDP, ICMP and others. The other unique characteristic of these attacks was the targeting of multiple companies in the same vertical at very high bandwidth. Compromised PHP web application servers were used as bots in the attacks. Additionally, many WordPress sites, often using the out-of-date TimThumb plug-in, were compromised around the same time. Joomla and other PHP-based applications were also leveraged. The attackers uploaded PHP WebShells to unmaintained servers and then used those shells to further deploy attack tools. The attackers connected to the tools either directly or through intermediate servers/proxies/scripts, and therefore the concept of command-and-control did not apply in the usual manner. This complex, rapidly evolving attack vector requires purpose-built tools, both on-premise and cloud-based, to provide comprehensive protection against both large attacks and those that target the application layer. And until we see pervasive deployment of best practices defenses, we can expect to see DDoS in the headlines for years to come. Winston Churchill offered some great advice that IT security professionals should keep top of mind as they adapt their defense to the threat landscape, “Success is not final, failure is not fatal: It is the courage to continue that counts.” Source: http://www.scmagazine.com/its-the-complexity-not-the-size-that-makes-ddos-effective/article/273775/
Visit link:
Details of the complexity of a Distributed Denial of Service (DDoS) Attacks
Wells Fargo Still Dealing with Distributed Denial of Service (DDoS) Attack
Hacktivists’ phase 2 distributed-denial-of-service attacks against U.S. banks appeared to subside Dec. 19. Only Wells Fargo reported online access issues, but the bank pointed out that outages were limited. A day earlier, the bank reported a more extensive DDoS hit. The hacktivist group Izz ad-Din al-Qassam Cyber Fighters Group on Dec. 18 posted an update on Pastebin , saying targeted banks could expect more distributed-denial-of-service attacks this week, resembling the magnitude of attacks waged against Bank of America, JPMorgan Chase, PNC Financial Services, U.S. Bancorp and SunTrust Bank a week earlier The group, however, did not name its targets in the Dec. 18 posting. But based on outage reports confirmed Dec. 18 and Dec. 19 by Wells Fargo, the bank apparently was one of those that Izz ad-Din al-Qassam has chosen to attack this time around. Wells Fargo spokeswoman Sara Hawkins said some bank customers may have experienced issues accessing their online accounts throughout the day Dec. 19. “We’re not seeing widespread impact, but we do recognize that some customers may have intermittent access to our website,” she said. On Dec. 18, however, Hawkins said the bank was seeing heavier than typical traffic. “We’re seeing an unusually high volume of traffic, which is creating slow or intermittent access to our website for some online customers,” she said. But none of the five banks named as targets in Izz ad-Din al-Qassam’s Dec. 11 announcement of the launch of a phase 2 DDoS campaign reported similar issues. Ten banks were targeted in the first campaign of DDoS attacks, which ran from mid-September until mid-October. Those banks included the five noted above as well as Wells Fargo, Regions Bank, HSBC Holdings, BB&T Corp. and Capital One. Among these, only Wells has reported additional outages allegedly linked to Phase 2. The others confirmed Dec. 19 that their sites remained unaffected. The hacktivist group claims it will continue its attacks on U.S. banks until a YouTube movie trailer, deemed to be offensive to Muslims, is removed. The Financial Services Information Sharing and Analysis Center on Dec. 12 issued an advisory , outlining precautions institutions should take as they prepare for more attacks. The FS-ISCAC notes that hacktivists’ warning that the second phase will be more severe should be heeded. For DDoS protection for your eCommerce site click here . Source: http://www.bankinfosecurity.com/wells-fargo-still-dealing-ddos-a-5370
Read this article:
Wells Fargo Still Dealing with Distributed Denial of Service (DDoS) Attack