The said banks included Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank, and PNC Bank. The first of the series of attacks was directed at Bank of America, which then attacked other banks in sequence.
Security analysts and experts believe that this string of attack is the biggest of its kind. Known as denial of service attack, targeted websites will often not suffer from any hacking activity or data breach. Instead, huge amounts of traffic will be used to paralyze the targeted site to make it to crash.
Bank websites are no stranger to such attacks and so have much better security and preparations for them. However, the volume of traffic used simply overwhelmed the defenses of banks involved.
Dmitri Alperovitch, co-founder of security firm CrowdStrike, said: “The volume of traffic sent to these sites is frankly unprecedented. It’s 10 to 20 times the volume that we normally see, and twice the previous record for a denial of service attack.”
While the usual DoS attacks utilize thousands of networked regular home computers, the recent attacks used thousands of high-powered application servers. They overwhelmed the servers of Bank of America and JPMorgan Chase’s web servers on 19 September, U.S. Bank and Wells Fargo on 26 September, and PNC on the following day.
Denial of service attacks are the favorite tactic of hackers wanting to disrupt services of web servers. They cannot take information and forward them to hackers. The ultimate goal was simply to temporarily knock down websites being used by their customers.
According to experts, it takes months to organize all the needed servers to mount such huge attacks. The servers have to be compromised and networked together into a system called a “botnet”.
“Hacktivists” often use PCs running some malware to build a “botnet” but the recent attacks on the banks showed that the huge scale of the attack would have been impossible to carry out using home computers. Users, most of the time, turn off their computers or disconnect them from the internet, making it more difficult for a huge botnet like the one the hit the banks to direct the amount of traffic seen during the recent attacks.
Sen. Joe Lieberman from Connecticut believed Iran initiated the attacks. “I don’t believe these were just hackers who were skilled enough to cause disruption of the websites,” he quipped. “I think this was done by Iran … and I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions.”
So far, the U.S. government, particularly the office of the Department of Homeland Security’s cybersecurity unit has not yet commented on the incident.
While Izz ad-Din al-Qassam Cyber Fighters, an Islamist group, claimed responsibility, researchers have doubts about them. For one, the group previously launched its own DoS attacks in the past but was uncoordinated and not very successful.
A security firm following the progress of the attacks also expressed doubts about the Islamist group’s claim. It noted that the group was urging its followers through social networks and chat forums to use “low orbit ion cannon”, a favorite software frequently used by Anonymous and other hacktivist groups to launch DoS attacks. The mentioned tool was not used by the group however. Instead, they opted to use a botnet but Ronen Kenig, director of security company called Radware, said the Cyber Fighters did not have the capability to access a botnet as advanced as the one used by the attackers.