TD Bank, KeyBank Confirm DDoS Attacks

Expert Says Other Banks Affected by New Methods

By , March 26, 2013.
TD Bank, KeyBank Confirm DDoS Attacks

TD Bank and Keybank confirmed their online banking sites were hit by distributed-denial-of-service attacks last week, and industry experts say hacktivists' attacks waged during this so-called third campaign are becoming increasingly sophisticated.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

TD Bank Group's Portland, Maine-based U.S. holding company, which has $219 billion in assets, reports that online and mobile banking channels for U.S. customers suffered intermittent outages during the mid-morning to early-afternoon hours on March 21 that likely were linked to a DDoS attack.

"We believe it's a DDoS disruption, affecting online/mobile banking services," TD Bank spokeswoman Barbara Timmins said March 21. Since then, the bank has not suffered any other problems, Timmins confirmed March 25.

Timmins says the bank advised customers to call customer service centers or visit branches and/or ATMs for account assistance and access during the online and mobile outages. "Guidance to use alternate bank channels was posted online and provided to media," she says. "We also shared information with employees who serve/interact with customers so they could redirect them."

Cleveland-based KeyCorp [d.b.a. Keybank], which has $89 billion in assets, reports it suffered a March 19 online outage, also suspected of being linked to DDoS. "We had a very brief episode, systems remained functional and [the] impact was just slower response times for a short time," said spokeswoman Lynne Woodward.

Woodward confirmed later in the week that the bank had not suffered any outages beyond March 19.

More Banks Affected?

Izz ad-Din al-Qassam Cyber Fighters, the hacktivist group taking credit for attacks against U.S. banking institutions, in an update posted to the online forum Pastebin on March 26, says it last week targeted BB&T, PNC Financial Services Group, JPMorgan Chase & Co., Citibank, U.S. Bancorp, SunTrust Banks, Fifth Third Bancorp, Wells Fargo & Co., and others. Since Feb. 25, when the group launched its third phase of DDoS attacks, weekly updates have appeared on Pastebin on Mondays and Tuesdays about previous-week targets.

Carl Herberger, security expert at DDoS-mitigation provider Radware, claims that a number of leading U.S. banking institutions were hit by DDoS attacks last week. He declined to say how many or which ones were affected. Radware tracks online DDoS activity for a number of organizations, including financial services providers.

"These were encrypted brute-force attacks that were using server-based IPs [Internet protocols]," he says. "There were, by and large, server-based, not consumer-based, attacks."

Herberger says the attacks blocked thousands of online banking customers from accessing accounts with numerous institutions. "It seems the attackers somehow came across valid usernames, either by guessing them or coming across them via a rainbow attack," he says. A rainbow attack is an algorithm used to crack encrypted or hashed passwords.

By blocking online users, the attacks have a wider and longer-lasting effect than simply taking a site offline, as in previous DDoS attacks against banks, Herberger explains. "If you are driving the users to have to reset accounts, then that floods your call center, and it could take days to get all of it back up and running," he notes. "This is what we saw last week, and it's the first time we've seen that method used."

Izz ad-Din al-Qassam Cyber Fighters has been using a botnet known as Brobot since mid-September to attack leading U.S. banks. The group says the attacks have been waged against U.S. banking institutions in protest of a YouTube video deemed offensive to Muslims.

Attacks Branching Out

The latest round of DDoS attacks against banks came a week after three apparent Brobot attacks against online role-playing game sites, three industry experts have confirmed (see New DDoS Attacks Hit Game Sites).

The attacks raised questions among online-security experts about the motivations of the attackers. Dan Holden, director of ASERT for Arbor Networks Inc., a network security and anti-DDoS provider, said the game sites appeared to be "a super-strange targeting change."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE DHS Official Warns of Shutdown Risks

Suzanne Spaulding, a top Department of Homeland Security official, says the nation's IT security...

Latest Tweets and Mentions

ARTICLE DHS Official Warns of Shutdown Risks

Suzanne Spaulding, a top Department of Homeland Security official, says the nation's IT security...

The ISMG Network