TD Bank, KeyBank Confirm DDoS Attacks Expert Says Other Banks Affected by New Methods

TD Bank and Keybank confirmed their online banking sites were hit by distributed-denial-of-service attacks last week, and industry experts say hacktivists' attacks waged during this so-called third campaign are becoming increasingly sophisticated.

See Also: How to Anticipate Breaches & Prevent Data Loss: Avoiding the Fate of OPM

TD Bank Group's Portland, Maine-based U.S. holding company, which has $219 billion in assets, reports that online and mobile banking channels for U.S. customers suffered intermittent outages during the mid-morning to early-afternoon hours on March 21 that likely were linked to a DDoS attack.

"We believe it's a DDoS disruption, affecting online/mobile banking services," TD Bank spokeswoman Barbara Timmins said March 21. Since then, the bank has not suffered any other problems, Timmins confirmed March 25.

Timmins says the bank advised customers to call customer service centers or visit branches and/or ATMs for account assistance and access during the online and mobile outages. "Guidance to use alternate bank channels was posted online and provided to media," she says. "We also shared information with employees who serve/interact with customers so they could redirect them."

Cleveland-based KeyCorp [d.b.a. Keybank], which has $89 billion in assets, reports it suffered a March 19 online outage, also suspected of being linked to DDoS. "We had a very brief episode, systems remained functional and [the] impact was just slower response times for a short time," said spokeswoman Lynne Woodward.

Woodward confirmed later in the week that the bank had not suffered any outages beyond March 19.

More Banks Affected?

Izz ad-Din al-Qassam Cyber Fighters, the hacktivist group taking credit for attacks against U.S. banking institutions, in an update posted to the online forum Pastebin on March 26, says it last week targeted BB&T, PNC Financial Services Group, JPMorgan Chase & Co., Citibank, U.S. Bancorp, SunTrust Banks, Fifth Third Bancorp, Wells Fargo & Co., and others. Since Feb. 25, when the group launched its third phase of DDoS attacks, weekly updates have appeared on Pastebin on Mondays and Tuesdays about previous-week targets.

Carl Herberger, security expert at DDoS-mitigation provider Radware, claims that a number of leading U.S. banking institutions were hit by DDoS attacks last week. He declined to say how many or which ones were affected. Radware tracks online DDoS activity for a number of organizations, including financial services providers.

"These were encrypted brute-force attacks that were using server-based IPs [Internet protocols]," he says. "There were, by and large, server-based, not consumer-based, attacks."

Herberger says the attacks blocked thousands of online banking customers from accessing accounts with numerous institutions. "It seems the attackers somehow came across valid usernames, either by guessing them or coming across them via a rainbow attack," he says. A rainbow attack is an algorithm used to crack encrypted or hashed passwords.

By blocking online users, the attacks have a wider and longer-lasting effect than simply taking a site offline, as in previous DDoS attacks against banks, Herberger explains. "If you are driving the users to have to reset accounts, then that floods your call center, and it could take days to get all of it back up and running," he notes. "This is what we saw last week, and it's the first time we've seen that method used."

Izz ad-Din al-Qassam Cyber Fighters has been using a botnet known as Brobot since mid-September to attack leading U.S. banks. The group says the attacks have been waged against U.S. banking institutions in protest of a YouTube video deemed offensive to Muslims.

Attacks Branching Out

The latest round of DDoS attacks against banks came a week after three apparent Brobot attacks against online role-playing game sites, three industry experts have confirmed (see New DDoS Attacks Hit Game Sites).

The attacks raised questions among online-security experts about the motivations of the attackers. Dan Holden, director of ASERT for Arbor Networks Inc., a network security and anti-DDoS provider, said the game sites appeared to be "a super-strange targeting change."

"It's possible that someone may have gotten into the Brobot network and is hijacking it, or they are simply renting it out. Now the question is, 'Why?'"

Another DDoS expert, who asked not to be named, said the attacks against the game sites could have been waged to encourage a counter-strike. "It's almost as if they're trying to start a fight, to get other hackers, who also often play on these sites, to fight back," the source said.

Attacks More Complex

Hacktivists' attack methods are changing, other experts, including Arbor Networks' Holden, said last week.

"The randomization of the attacks is something we've seen in the third phase," Holden said. "They have introduced new tools, and as they go along; they are learning more and more about the websites they are targeting."

Holden said those new tools include scripts that take aim at specific targets. "That's how we ran across the gaming-attack piece," he said.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network