The Green Sheet Online Edition
April 22, 2013 • Issue 13:04:02
Brobot strikes again
A massive distributed denial of service (DDoS) attack stretched beyond major U.S. banks to three gaming sites during the third week of March 2013. This is thought to be the third phase of DDoS attacks that began against U.S. financial institutions in 2012 and have been attributed to Izz ad Din al-Qassam Cyber Fighters, which uses a group of botnets, called Brobot, to carry out the assaults.
A DDoS attack occurs when a third party hijacks a machine or network of machines to run botnets that flood a web service to cause a temporary outage and thereby deny access for its intended users. Botnets are programs connected via the Internet that communicate with one another to perform tasks; they can be used for good or ill.
According to the Financial Services Information Sharing and Analysis Center, U.S. financial institutions have been on "high" alert since September 2012. The New York Stock Exchange and several financial institutions were reportedly targeted in the first phase of Brobot attacks, which ended in October 2012.
A growing DDoS threat
In the past six months, banks have been making adjustments to their systems in an attempt to help fend off DDoS attacks. Phase two of the Brobot assault, which occurred during December 2012 and January 2013, reportedly targeted PNC Financial Services, U.S. Bancorp., JPMorgan Chase & Co., SunTrust Bank, Bank of America Corp., and Wells Fargo & Co., among others.
PNC reported a DDoS attack Dec. 20 that intermittently interrupted access to its website. Wells Fargo released a similar statement Dec. 19, as did BofA. None of them mentioned who might have orchestrated this attack.
In phrase three, Brobot is said to have already hit PNC, BB&T Corp., JPMorgan Chase, Union Bank and Capital One Financial Corp. The targeted institutions haven't commented on this, but blips in their systems were obvious. Consumers were unable to log into their accounts for a few days, and when they regained access, $0.00 was reflected in their bank accounts. Chase did post a message in each account stating "Limited Activity."
Industry spectators agree the DDoS attacks against banks are just the beginning, as evidenced by the recent inclusion of gaming sites among the targets. Some believe Brobot is growing larger and more capable with each attack. For example, Brobot can now attack multiple sites simultaneously, and with different variations of DDoS attacks on each.
Michael Smith, Senior Security Evangelist and DDoS specialist for web security provider Akamai Technologies, stated about phase three, "Two thirds of last week's traffic [has] been from previously unseen IP addresses. It could be a sign that Brobot is getting bigger." Experts have also posited that Brobot is gathering intelligence about U.S. financial institutions' security defenses.
What we can do to help
DDoS attacks can do great damage. By the time an attack is recognized, it has typically already overwhelmed its target. One well-known method for fighting DDoS attacks is the use of SYN Cookies for network efficiency.
Roy Derby, Certified Fraud Examiner of America's Bankcard Alliance, stated, "SYN cookies track incoming TCP connections which help reduce the flood to overwhelm the stack. DDoS attacks are extremely hard to defend but not impossible."
DDoS attacks aren't the only threat. Ongoing fraud-fighting training for merchants is more important now than ever.
To that end, ISOs and merchant level salespeople can assist their level 4 merchants by evaluating the extent of their Payment Card Industry (PCI) Data Security Standard (DSS) validation requirements; helping merchants obtain full PCI compliance, including the completion of self-assessment questionnaires; and explaining how POS terminals and PIN pads can be breached and what to look for, such as altered sticker seals, keypad overlays, pinhole video cameras, and unauthorized people claiming they need access to devices to service or replace them.
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners, as well as a member of the Electronic Transactions Association's Risk, Fraud and Security Committee. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.