Published October 10, 2012
Attackers with a sophisticated understanding of the underpinnings of the Internet have been able to adapt a commonly-used technique to jam the websites of several major U.S. banks in recent weeks, security experts tell FOX Business.
A group calling itself the Izz ad-Din al-Qassam Cyber Fighters has embarked on a campaign to disrupt bank websites in retribution for a film trailer ridiculing a sanctified Muslim figure. America’s two biggest banks, J.P. Morgan Chase (JPM) and Bank of America (BAC), fell victim last month. This week, Capital One (COF) and SunTrust (STI) have become targets. The group is threatening to hit Regions Financial (RF) on Thursday and potentially more banks next week.
The individuals behind al-Qassam have yet to be unmasked, but the strategy they are using is emerging.
Security researchers broadly agree that the general methodology the hackers are using is a so-called denial-of-service attack. Essentially, the hackers flood companies’ Web servers with requests, rendering them unable to provide services to customers or substantially slowing access speeds down. Oftentimes, hackers utilize what are known as botnets – or large groups of compromised computers – to perform the most damaging operations. Such attacks occur regularly, and are not out of the ordinary, according to security researchers.
However, al-Qassam has developed a fresh, and so far effective, approach.
“These guys are pretty sophisticated in their understanding of the way the Internet and cyber defenses work,” said Rodney Joffe, senior vice president and senior technologist at Neustar (NSR), who has been monitoring the attacks.
Joffe said the attackers have developed their own botnet. Instead of compromising tens of thousands of personal computers, which is often the case, they have focused on taking over Web servers to do the work. These machines either host websites that users visit or push content out to other servers.
Echoing that view, Dan Holden, director of research for Arbor Networks’ security engineering and response team said the attacks “demonstrated a combination of technical and media relations sophistication.”
Web servers have proved particularly effective for al-Qassam because they have a much higher level of connectivity to Internet resources than personal computers, according to Joffe. They also aren’t subject to the same limits in bandwidth that individuals’ home computers are and generally have enterprise-level access to Internet Service Providers.
That means al-Qassam has been able to build up substantial horsepower without compromising nearly as many machines as has been necessary in the past. In fact, Joffe’s investigation has revealed the group has used as few as 3,000 servers to conduct this operation – far less than the tens of thousands of home computers that are often compromised.
“The advantage to the bad guys is that they have greater reliability and robustness,” Joffe said.
The group has also been quick at adapting the types of attacks it uses to keep up with new defenses. It makes for a difficult situation for the victims since in this case, “just enough is good enough,” according to Joffe.
The group has managed to sneak its way in by finding exploits in common publishing platforms, according to Joffe and Holden. The experts said that popular blogging program Wordpress and content management system Joomla have both been exploited along with an array of other programs on vulnerable servers.
It may prove difficult to wipe the malware from the servers since many companies that operate them also use them for enterprise uses, Joffe said.
The attacks have also sparked concerns about companies outside the financial sector. Financial firms have long been subject to DDoS attacks, so they have built up considerable defenses. However, companies across other sectors may not be as well protected.
“These attacks would be usable against any kind of targets,” Joffe said. “There are a lot of sectors that may not be as prepared.”