The hackers often struck late on Fridays, starting about a year ago, sending skeleton crews at more than a dozen European banks rushing to keep bombardments of digital gibberish from crashing their websites.
Damaging as the bandwidth-choking attacks were, they were merely smokescreens. Once employees dropped their guard to fight one attack, hackers struck again, exploiting the openings to steal account information and create counterfeit debit cards.
One attack was so fast that, within two hours, $9 million was withdrawn from automated teller machines in 46 cities, according to Francis deSouza, president of products and services for Symantec Corp (SYMC)., the Mountain View, California-based information security company that investigated the incidents.
Symantec’s findings show that the attacks, which have been around for years, have evolved from nuisances causing temporary website outages into one of the cheapest and most effective ways to rob banks. They’ve become the online equivalent of a common street hustle, with the initial assault being the shiny object that distracts bank security teams long enough to pick customers’ pockets.
Tens of millions of dollars were stolen in the past year in two-pronged attacks that banks didn’t notice until customers complained or investigators later uncovered the breaches, said Samir Kapuria, a Symantec vice president who led the research.
“The problem is everyone is focusing on the fact someone has set fire to your front yard, and while you’re staring at the front yard someone is coming in through the back door,” said Tom Kellermann, a former security specialist with the World Bank and now vice president of cybersecurity for Trend Micro Inc., a Tokyo-based security software maker.
The attacks targeting banks are known as distributed denial-of-service, or DDoS, in which hackers flood a computer system with information to shut it down. While some banks have acknowledged the attacks have damaged their websites, Symantec’s research shows hackers have reached deeper than institutions have been willing to acknowledge.
The websites of U.S. banks were down a record 249 hours in six weeks in February and March, when they were being heavily attacked, according to Keynote Systems Inc (KEYN)., a San Mateo, California-based company that measures websites’ response times.
The U.S. Comptroller of the Currency, in an alert in December, said DDoS attacks previously regarded as political statements have become part of broader invasions aimed at compromising customer accounts. It didn’t give examples and Stephanie Collins, an agency spokeswoman, declined to comment beyond the alert.
Symantec’s research focused on European banks, which the company wouldn’t name, and it’s not clear what losses U.S. banks and their customers have sustained in similar attacks.
Only Citigroup among the largest U.S. banks has disclosed losses from DDoS and other cyber attacks to investors this year, and it characterized them only as “certain limited losses in some instances.”
In one recent combination attack, hackers temporarily knocked out online banking at Amsterdam-based ING Groep NV (INGA) and iDEAL, a Dutch e-commerce system that includes the Netherlands’ biggest banks, on April 5 and sent a wave of e-mails to ING customers during the attack trying to get them to reveal personal information.
Carolien van der Giessen, a bank spokeswoman, confirmed the attacks while declining to say whether ING experienced data-theft attacks at the same time.
A group calling itself Izz ad-Din al-Qassam Cyber Fighters has taken responsibility for attacks against Bank of America Corp., JPMorgan Chase & Co (JPM)., PNC Financial Services Group Inc (PNC). and others, claiming they were in response to a video uploaded to Google Inc.’s YouTube ridiculing the Prophet Muhammad and offending some Muslims.
Iran’s government and its elite Qods Force were probably behind the attacks, retaliating against U.S.-led economic sanctions, U.S. Senator Joseph Lieberman, then chairman of the Homeland Security Committee and now retired, said in September.
The two-pronged attacks have taken several forms, according to Kellermann and Synmantec officials who have analyzed their patterns.
In the more common form, hacking groups plant malicious software inside a bank’s systems, then wait until they notice another group, such as Izz ad-Din or Anonymous, mounting a distributed denial-of-service attack. At that point, they swoop in, activate their software and raid compromised accounts.
The approach brings together unlikely groups: cybercriminals who break into computers to steal money, and cyberwarriors who hack to make political statements.
“We are already seeing a convergence of DDoS attacks and fraud -- in some cases by the same actors who are not the Iranians, but are other opportunistic gangs,” Avivah Litan, a banking-security analyst with Gartner Inc., an information-technology researcher based in Stamford, Connecticut.
“We are also seeing the different actors borrow, buy and steal from each other, so that cybercriminals are using cyberwarrior tactics and code, and cyberwarriors are using cybercriminal tactics and code,” Litan said. “The big question is whether the nation-state actors, i.e. the Iranians, will start stealing money out of accounts.”
Some of the more sophisticated Eastern European hackers now mount both stages of attacks themselves, Kellermann said.
DDoS attacks can be effective diversions because they can overwhelm fraud-detection systems and banks react strongly to them, out of concern that prolonged website outages will damage their reputations, Kellermann said.
The two-pronged approach also helps explain why bank websites often haven’t crashed for more than brief periods: because hackers don’t want them to.
Often they’ve crippled sites just enough so they can access target accounts while customers can’t, and therefore won’t notice their money’s gone until after the attacks end, Litan said.
Many banks are now being hit with assaults on their phone and data networks at the same time, said Jim Grubb, a vice president at Cisco Systems Inc (CSCO)., the biggest maker of computer-networking equipment.
The idea is to prevent the banks’ customers from being able to access their accounts online or over the phone while criminals are withdrawing money from ATMs or racking up credit-card charges.
At a Cisco conference last year, Grubb described an attack against a bank’s phone network that prevented customers from calling in to stop fraudulent transactions.
In some cases, hackers have called banks’ customer-service centers while online access is down and tricked representatives into wiring money out of people’s accounts, Gartner’s Litan said.
The most common type of DDoS attack involves using “botnets,” or networks of infected computers, to flood target websites with more traffic than they can handle, said Gunter Ollmann, chief technology officer for IOActive Inc., a security consultancy.
A more effective technique involves attacking database-heavy applications, such as a site’s search function. Hackers might only need one or two computers doing lots of searches to bring down a site, Ollmann said.
A complicated approach involves manipulating the Internet’s domain-name system to amplify the amount of attack traffic against a target site. The technique was used to start one of the biggest online attacks ever, with 300 billion bits per second of traffic hitting the website of Spamhaus, a European antispam group, on March 15 in retaliation for blacklisting a handful of accused spammers.
Most of the largest U.S. banks have acknowledged the DDoS attacks in regulatory filings or annual reports. Most said they didn’t have material losses or that customer data wasn’t stolen.
None of the top banks have described DDoS attacks combined with data-theft attempts in the way the Comptroller of the Currency alert outlined or quantified losses from cyber attacks, though Citigroup, PNC, JPMorgan Chase, Wells Fargo & Co. (WFC)and U.S. Bancorp identified DDoS attacks as a material risk.
Citigroup spokesman Andrew Brent declined to comment. PNC has said the DDoS attacks caused some outages but didn’t lead to theft of customer data. Spokesman Fred Solomon declined to comment. U.S. Bancorp spokesman Tom Joyce didn’t respond to messages.
Wells Fargo (WFC) said one aim of the DDoS attacks was to test banks’ cybersecurity ahead of more advanced future attacks. JPMorgan Chase described the attackers as “sophisticated and well-resourced.”
Most banks don’t disclose how much they spend on security, with JPMorgan Chase being an exception. Chief Executive Officer Jamie Dimon said in an April 10 letter to shareholders that the company spends $200 million a year on data security, a figure that will grow “dramatically” over the next three years, and said more than 600 employees are dedicated to security, a number expected to rise.
While there’s no shortage of security firms selling products to help prevent breaches, helping fuel an industry that Gartner estimates will reach $65.7 billion this year, technology alone can’t prevent all combination attacks.
To fight two-pronged assaults, banks must have sufficient staffing across multiple business lines for the duration of the DDoS attacks, the Comptroller of the Currency, the arm of the U.S. Treasury Department that regulates banks, said in its Dec. 21 alert.
Banks need denial-of-service protections that go beyond defenses offered by their network providers, which often can’t detect attacks on the banks’ specific applications, Gartner’s Litan said. They also need to increase training for call-center staff to spot suspicious transactions, he said.
And in the worst-case scenario?
“An emergency ’off’ button to stop all money transfers,” Litan said. “This should never have to be used but is important to have -- just in case.”
To contact the reporter on this story: Jordan Robertson in San Francisco at email@example.com
To contact the editors responsible for this story: Bernard Kohn at firstname.lastname@example.org; Tom Giles at email@example.com