U.S. Bank Confirms DDoS HitFS-ISAC Warns Banks to Prepare for Severe Attacks
Online outages affecting leading U.S. banking institutions continued Dec. 12, but only U.S. Bancorp. confirmed that its site issues were linked to a distributed-denial-of-service attack.
Meanwhile, the Financial Services Information Sharing and Analysis Center issued a security update to its membership, outlining precautions institutions should take as they prepare for the second phase of attacks being waged by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters.
In a Dec. 10 post on Pastebin, the hacktivist group announced plans for a second campaign of attacks waged against leading U.S. banks to protest a YouTube movie trailer deemed offensive to Muslims.
In response, the FS-ISAC says institutions should brace for attacks that are more severe than those experienced during the first wave, which struck 10 leading U.S. banks between mid-September and mid-October.
"Financial institutions should ensure they have reviewed their distributed-denial-of-service detection and mitigation plans, as well as recent threat intelligence shared by and through the FS-ISAC," the center warns. "FS-ISAC is working with its members, its partners and government agencies to monitor this threat, share information and support members under attack."
U.S. Bank, BofA Suffer Online Issues
U.S. Bank and Bank of America - two of the five banks that the hacktivists announced as targets in their second campaign - both experienced intermittent site issues Dec. 12, according to the online-monitoring site websitedown.com
U.S. Bank spokesman Tom Joyce confirmed to BankInfoSecurity that the institution's online banking site had been hit by a DDoS attack. "We apologize that some customers might experience intermittent delays today on our website," he said. "The issues are related to unusual and coordinated high-traffic volume designed to slow down the system for consumers - similar to what other banks have experienced over the past few months. We are working closely with federal law enforcement officials on the issue."
Joyce also said the bank was working to restore full website and mobile-banking connectivity. "In the meantime, we can assure customers that their data and funds are secure," he said.
But BofA would not confirm reports that it experienced intermittent online-access issues Dec. 12. Bank spokesman Mark Pipitone said the bank directly responded on Dec. 11 to a small number of customers who had reported site trouble but was not aware of outages occurring Dec. 12.
Phase 2 Attacks
Izz ad-Din al-Qassam Cyber Fighters named five banks as targets for its second phase of attacks. Those included SunTrust Banks, U.S. Bancorp, JPMorgan Chase, Bank of America and PNC Financial Services Group. PNC and SunTrust, in addition to BofA, reported intermittent online issues Dec. 11 (see 4 Banks Respond to DDoS Threats).
All five banks were targets - along with Wells Fargo, Capital One, Regions Bank, BB&T and HSBC - during the hacktivist group's first attack wave, when every bank's website suffered outages of varying degrees. Only CapOne was targeted twice in the first campaign (see CapOne Takes Second DDoS Hit).
Banking regulators and associations have made few public comments about this second campaign. So far, the FS-ISAC is the only banking group to publicly acknowledge the threat.
"Targeted institutions have been working together with members of the security community and with government partners to help defend against the attacks," FS-ISAC stated in its Dec. 12 security update. "Information pertaining to tactics and techniques has been shared among these parties and with the broader FS-ISAC membership."
Michael Wyffels, chief technology officer of Illinois-based QCR Holdings, a $1.7 billion bank holding company of three institutions in Illinois, Iowa and Wisconsin, says industry response toward educating consumers about online threats should increase.
"I haven't heard a lot of formal messaging coming out of any public agency," Wyffels says. "I think one piece that is missing is how the general public is being communicated to. It's difficult for institutions to speculate what the end game is for these increased attacks. They know what it means to their customers, their brand and everyone who depends on banking with them every day. I sense the banks are the vehicle for the real attack, which is to weaken customer confidence in using the Internet for financial services."
Wyffels says he'd like to see more attention paid to public awareness. He says it's in every banking institution's best interest to prepare DDoS response plans now, even if that bank or credit union isn't among the list of known targets. "Clearly, you know something is coming, so you plan an effective way to respond, in advance, rather than waiting to react and figure it out as the attack is happening," he says.
For more on responding to DDoS attacks, see this new webinar from Information Security Media Group: The New Wave of DDoS Attacks: How to Prepare and Respond.