A seven month cyber assault on the websites of American banks has led to new calls for security legislation to prevent such attacks.
According to a report by NBC News. the websites of 15 major U.S. banks have been offline for a total of 249 hours in the past six weeks, due to a series of sustained DDoS (Distributed Denial of Service) attacks.
Representative Mike Rogers, Chairman of the Permanent Select Committee on Intelligence, said that Congress needs to act quickly, calling for legislation to allow government and companies to share information to defend against such attacks. He made the remarks in an interview with NBC this week.
Customer accounts have not been put at risk by this particular bank cybercrime – although the sustained attacks have meant it has been impossible to access online functions. The DDoS attacks have repeatedly knocked banks offline, sometimes for hours, despite the best efforts of security teams.
The attacks began seven months ago. Banks such as Wells Fargo and Bank of America were attacked in September 2012, by a group calling itself Izz ad-Din al-Qassam Cyber Fighters. The attacks have continued since then.
After one recent attack on March 14, Avivah Litan, a bank security analyst with Gartner Group said: “Interestingly, the attackers could have easily done even more damage but they chose not to. 9,200 bots were identified as attack-capable but the total number of bots actually involved in sending the DDoS traffic to the banks numbered only about 3,200. The other 6,000 bots sat there doing nothing.”
“Literally, these banks are just in war rooms, sitting at controls trying to stop this,” said Litan. “The frightening thing is they [the attackers] are not using as much resources as they have on call. The attacks could be bigger.”
Earlier this year, ESET researchers published evidence that malware was evolving to defeat anti-DDoS measures such as Cloudflare. This research can be found here.
Author Rob Waugh, We Live Security