An Islamic group that launched a third wave of high-powered dedicated denial-of-service (DDoS) attacks against U.S. banks in March has started targeting other financial organizations, including credit card companies and financial brokerages, security experts say.
The hacktivist group that calls itself Cyber Fighters of Izz ad-Din al-Qassam has been hammering U.S. banks since last September. The distributed-denial-of-service (DDoS) attacks have caused major disruptions in online banking, but have not resulted in system breaches or the theft of data.
With each new wave of attacks the group has shifted to other targets. The first wave, which lasted about six weeks from mid-September to mid-October, targeted mostly major financial institutions. Targets included Wells Fargo, U.S. Bank, Bank of America, JPMorgan Chase & Co. and PNC Bank. In the second phase, which went for seven weeks from December to late January, the attackers expanded to mid-tier banks and credit unions.
In the latest wave, which started Feb. 25 and is the longest so far, the attackers have gone beyond just banking institutions, which over the months have grown more adept at fending off the attackers, John Summers, vice president of Akamai Technologies' security business, said Wednesday.
Akamai, whose clients include nine of the world's top 10 banks, saw attacks against credit-card companies and financial brokerages, but declined to name them. In a Pastebin post, the Islamic group said Tuesday that it launched attacks last week against investment manager Principal Financial, financial planner Ameriprise, and financial services company State Street.
A DDoS attack took discount brokerage Charles Schwab & Co. offline for an hour Tuesday and intermittently on Wednesday. Schwab did not know who was behind the attack.
Along with expanding the type of targets, the attackers have grown more sophisticated. Rather than stick with flooding sites with network traffic, the attackers are directing their packets to the application layer reserved for secured communication protocols, which is where most of the banks' online business is conducted. In the largest such attack so far, 30 gigabits per second of bogus traffic was sent over SSL, roughly 70 times the bank's normal peak traffic, Summers said.
[Related earlier stories:Ã'Â Banks can only hope for the best with DDoS attacksÃ'Â |Ã'Â Wells Fargo recovers after site outageÃ'Â |Ã'Â Theories mount on bank attacks, but experts stress defenseÃ'Â |Ã'Â Arab hackers attack Western websites over filmÃ'Â |Ã'Â Best defense against cyberattacks is good offense, says former DHS official]
The Islamic group has also started doing pre-attack probing of sites that involve sending four- to six-minute bursts of 18 million requests a second to see if the site falters. If it does, then they come back a few days later with a full-scale assault.
Sign up for CIO Asia eNewsletters.