Oct. 23, 2012 at 9:19 AM ET
Have some critical online banking transactions to do? You might want to plan them for a Monday or Friday. A group of malicious hackers is having its way with online banks lately, seemingly knocking sites offline at will. The latest victims are HSBC and Ally Bank, but virtually every major bank has been targeted by the group since the attacks began five weeks ago.
The attacks seem straight out of a movie plot: An anonymous note is posted online -- usually on a Monday or early Tuesday -- declaring that week's victims. The targets then are besieged at some point during that Tuesday through Thursday stretch. On Friday, the group seems to rest.
"Do you want attacks to be stopped? Stop the insults," the group declared in last week's warning message. "Insults" refers to the now infamous "Innocence of Muslims" online video that was initially blamed for last month’s mob attack on the U.S. mission in Benghazi, Libya.
The bank attacks are remarkable because they seem unstoppable, even with advance warning. Just how bad are banks suffering at the hands of attackers? Rodney Joffe, senior technologist at Internet infrastructure provider Neustar, said the best some banks can do to prepare is to have a sincere-sounding apology at the ready, backed up with a plan B that points customers to an alternative method of communication such as a call center.
"There is in fact no way to defend against it properly," said Joffe, who has helped banks try to recover from the attacks. "We can mitigate the attacks to some extent, but it is very difficult to keep systems up…This is one of our worst nightmares."
The criminals identify themselves in their warnings as the "al-Qassam Cyber Fighters," purportedly part of Hamas' al Qassam military wing. Bank security folks apparently have received a break this week, as a note posted by hackers claiming to represent al Qassam said they would take a break "during the next days" to mark a Muslim holiday.
The basic attack is nothing new: It’s a denial of service attack designed to make the banking websites unavailable. Bank sites are flooded with bogus Internet traffic so they are overwhelmed, and can only give the equivalent of a busy signal to customers. But these attacks are very different, experts say, because of the sheer amount of bogus traffic that's generated.
With online banking services broken, consumers flood banks with phone calls, creating headaches for customers and banks alike.
"It's customer service nightmare for banks. They just aren't set up for this," Joffe said.
But the biggest nightmare, he said, is that banks don't "defeat" the attacks with countermeasures. The criminals simply stop and turn their attention on another target, leaving bank security officials wondering when they might be victimized again. Capital One, for example, has suffered at least two separate service disruptions.
As provider of backup content delivery for many of the world's largest websites, Akamai Technology handles denial of service attacks every day, and it has dealt with the currentwave of attacks. Mike Smith, director of Akamai’s incident response team, says the attacks succeed through a simple matter of arithmetic.
Banks buy, at most, an Internet pipe that can handle 20 gigabits-per-second of Web traffic, he said. The attackers are generating about 50 gigabits-per-second, making any tool that could filter out bad requests inadequate.
"It's fairly brute force, rather than laser scalpel," he said.
Banks could consider tripling the bandwidth they buy, he explained, but that would be a huge waste of money during non-attack time s... and the criminals might just increase their bogus traffic anyway. "It's all an arms race," he said.
How are criminals able to marshal such enormous traffic resources? They are employing a new kind of electronic army, experts said. Until now, most denial of service attacks involved large "botnets" -- armies of compromised desktop computers -- that could number 100,000 or more. These were clumsy, hard to coordinate and often limited by bandwidth purchased by home users. In this attack, criminals are taking control over web servers that have access to much wider Internet traffic pipes -- computers that host popular website blogs, for example. As a result, criminals can attack with refined armies of only 1,000 to 2,000 compromised servers, while still wielding a devastating cyberweapon against bank websites.
Adding to the complexity for victims, such compromised servers are also harder to knock offline than home PCs in botnets, Joffe said, because they are often intertwined with legitimate businesses that are reluctant to voluntarily go offline to clean them up.
"It's not a new kind from a technical prospective, it's just able to generate overwhelming volumes of traffic that are indeed quite noteworthy," said Dmitri Alperovitch, chief technology officer at CrowdStrike, a startup focused on cyberespionage defense.
With a smaller, more powerful botnet, "attacker economics" favor the criminals, Smith said. It's easier for them to replace servers that are cleaned up, and it's much easier for them to stop and start attacks.
"They have much more command and control over the nodes," Smith said.
It's unusual for attackers to announce their targets ahead of time, but Smith said their reason for doing so is fairly obvious.
"What they are trying to do is amplify the bad public relations efforts element for banks," he said.
Banks turn out to be a juicy target for denial of service attacks because their systems are easily turned against each other, Smith said. Thanks to numerous fraud-checking tools, every request made at a bank site generates multiple responses from bank servers – log files, IP-checking tools, device-ID verification tools, etc. -- amplifying the effect of every bogus request. In fact, while banks have beefed up fraud checks, they have done little to protect against denial of service attacks through the years, Smith said.
"Criminals have never wanted the sites to go down, because they need to sites to be up to commit fraud against the bank," he said.
But even filters that find and deflect bogus website traffic wouldn't help much against these determined and sizable attacks, he said.
"Most enforcement mechanisms don't have the capacity to deal with this much traffic," Smith said.
Given the remarkable scope of the attack, there has been much speculation by U.S. government officials -- openly and on background -- that the attacks could only be directed by a state-sponsored group, and represent an aggressive act of cyberwar perpetrated by agents of the Iranian government. Both Sen. Joe Lieberman, I-Conn., and Defense Secretary Leon Panetta have openly blamed the attacks on Iran, with Panetta calling the incident a "pre 9/11 moment." Several intelligence officials have told NBC News that they believe Iran is behind the attacks.
Smith, however, says it's important not dismiss the possibility that old-fashioned online fraudsters are using the protests over the "Innocence of Muslims" film as a cover to simply steal money from banks. As evidence, he points to a warning issued by the FBI on Sept. 17, which indicated that some banks had already been hit by denial of service attacks to help perpetrate wire fraud -- with thefts as high as $400,000. The website attacks serve as a diversion, and when consumers flood customer service phone banks, criminals who've stolen bank logins have an easier time slipping fraud through bank systems, the alert said. In also predicts precisely the kinds of attacks banks are suffering through now.
"In some of the incidents, before and after unauthorized transactions occurred, the bank or credit union suffered a distributed denial of service (DDoS) attack against their public website(s) and/or Internet Banking URL," the warning said. (PDF) "The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer."
Smith said that same denial of service distraction technique was successfully employed by another group last year, making fraud -- and not geopolitics -- a likely motivator for the attacks.
"Maybe the intelligence world knows some things we don't know, but we haven't seen them prove it other than some public officials making statements," he said. "But when you look at Al Qassam, until last month they were suicide bombers and restaurant shooter ... associated with physicals attacks, and overnight they acquired the capability to take banks offline? That I don't believe."
Robert Windrem, a senior investigative producer for NBC News, said there is "some level of disagreement" between law enforcement and intelligence officials about the real source of the attacks.
"The disparity in certainty (that Iran is behind the attacks) is due to the way law enforcement and intelligence look at the same incident," he said. "Law enforcement deals with forensics, and the intelligence agencies deal with intelligence. Intelligence is looking at it from the source, whereas law enforcement is looking at it from the effect side."
Experts agree on this point: With cybercrime, pinpointing a source can be nearly impossible. Smart criminals cover their tracks with numerous layers of compromised computers, across several state and international boundaries. The painstaking work of obtaining legal documents necessary to perform forensics on compromised computers, track bogus traffic, then examine the source of that traffic can take months. Meanwhile, attackers come and go within minutes.
But the good news for banks is this: Website disruption, while a serious nuisance for bill payers, is hardly the end of the world. Backup systems, such as phone service in-person teller service, remain in place. Consumers are inconvenienced, but that's the extent of the disruptions so far.
"Ultimately, there is a very low impact on a bank," Smith said. "It's more perception than anything. … Websites are a cheaper way to do customer care, but they do have a manual fallback that's unaffected."
* Follow Bob Sullivan on Facebook.
* Follow Bob Sullivan on Twitter.
More from Red Tape Chronicles: