Distributed denial of service attacks have morphed from a nuisance to something more sinister.
In a DDoS attack, heavy volumes of traffic are hurled at a website to halt normal activity or inflict damage, typically freezing up the site for several hours. Such exploits achieved notoriety in the fall of 2012 when large banks were hit by a cyberterrorist group.
But the Operation Ababil attacks were simply meant to stop banks' websites from functioning. They caused a great deal of consternation among bank customers and the press, but little serious harm.
Since then, the attacks have become more nuanced and targeted, several recent reports show.
"DDoS is a growing problem, the types of attack are getting more sophisticated, and the market is attracting new entrants," said Rik Turner, a senior analyst at Ovum, a research and consulting firm.
For example, "we're seeing lots of small attacks with intervals that allow the attackers to determine how efficiently the victims' mitigation infrastructure is and how quickly it is kicking in," he said. This goes for banks as much as for nonbanking entities.
Verisign's report on DDoS attacks carried out in the fourth quarter of 2014 found that the number of attacks against the financial industry doubled to account for 15% of all offensives. DDoS activity historically increases during the holiday season each year.
"Cybercriminals typically target financial institutions during the fourth quarter because it's a peak revenue and customer interaction season," said Ramakant Pandrangi, vice president of technology at Verisign. "As hackers have become more aware of this, we anticipate the financial industry will continue to see an increase in the number of DDoS activity during the holiday season year over year."
In a related trend, bank victims are getting hit repeatedly.
"If you have an organization that's getting hit multiple times, often that's an indicator of a very targeted attack," said Margee Abrams, director of security services at Neustar, an information services company. According to a report Neustar commissioned and released this week, in the financial services industry, 43% of bank targets were hit more than six times during 2014. Neustar worked with a survey sampling company that gathered responses from 510 IT directors in the financial services, retail and IT services, with strong representation in financial services. (The respondents are not Neustar customers.)
The average bandwidth consumed by a DDoS attack increased to 7.39 gigabits per second, according to Verisign's analysis of DDoS attacks in the fourth quarter of 2014. This is a 245% increase from the last quarter of 2013 and it's larger than the incoming bandwidth most small and medium-sized businesses, such as community banks, can provision.
At the same time, DDoS attacks are shorter, as banks have gotten relatively adept at handling them. Most (88%) detect attacks in less than two hours (versus 77% for companies in general), according to Neustar's research. And 72% of banks respond to attacks in that timeframe.
Some recent DDoS attacks on banks have been politically motivated. Last year, a hacker group called the European Cyber Army claimed responsibility for DDoS attacks against websites run by Bank of America, JPMorgan Chase, and Fidelity Bank. Little is known about the group, but it has aligned itself with Anonymous on some attacks and seems interested in undermining U.S. institutions, including the court system as well as large banks.
But while attacks from nation-states and hacktivists tend to grab headlines, it's the stealthy, unannounced DDoS attacks, such as those against Web applications, that are more likely to gum up the works for bank websites for short periods and are in fact more numerous, Turner noted. They're meant to test the strength of defenses or to distract the target from another type of attack.
For example, a DDoS attack may be used as smokescreen for online banking fraud or some other type of financially motivated fraud. In Neustar's study, 30% of U.S. financial services industry respondents said they suffered malware or virus installation and theft as a result of a DDoS attack.
"What I hear from our clients is that DDoS is sometimes used as a method to divert security staff so that financial fraud can get through," said Avivah Litan, vice president at Gartner. "But these occurrences seem to be infrequent."
Her colleague Lawrence Orans, a research vice president for network security at Gartner, sounded skeptical about the frequency of DDoS-as-decoy schemes.
"I think there is some fear-mongering associated with linking DDoS attacks with bank fraud," he said. However, "the FBI has issued warnings about this in the past, so there is some validity to the issue of attackers using DDoS attacks as a smokescreen to distract a bank's security team while the attacker executes fraudulent transactions."
According to Verisign's iDefense team, DDoS cybercriminals are also stepping up their attacks on point-of-sale systems and ATMs.
"We believe this trend will continue throughout 2015 for financial institutions," Pandrangi said. "Additionally, using an outdated operating system invites malware developers and other cyber-criminals to exploit an organization's networks. What's worse is that thousands of ATMs owned by the financial sector in the U.S. are running on the outdated Windows XP operating system, making it vulnerable to becoming compromised."