JP Morgan Chase is recovering from a DDoS attack that knocked it’s website, and online banking offline on Tuesday, making them the latest victim in a wave of DDoS attacks against financial institutions.

Initially, the DDoS prevented access completely for some customers, and then the attack created intermittent outages and connections that were sluggish and slow. Customers were greeted with a notice on that simply stated that the site was “temporarily down.” Mobile banking was unaffected by the attack, Chase said.

The bank confirmed the DDoS attack to the media, but would not, or could not disclose technical details such as peak traffic or length of attack. As of Tuesday evening, was working as normal.

Earlier this month, a group calling itself Izz ad-Din al-Qassam Cyber Fighters, promised new DDoS attacks against the finance sector, having previously targeted several American banks successfully. At the time their warning was delivered, Bank of America, PNC Bank, Wells Fargo, and Citibank were all having connection issues or were offline entirely.

Earlier this year, a study by the Ponemon Institute said that 64% of IT staffers working within the financial sector said that their banks had suffered at least one DDoS attack within the previous 12 months, and 78% of those respondents said that DDoS attacks will either continue or increase in 2013.

“The belief that traditional perimeter security technologies such as firewalls are able to protect against today’s DDoS attacks is lulling not only financial institutions but organizations across every sector into a false sense of security,” said Marty Meyer, president of Corero Network Security, the company that commissioned the Ponemon study.

“Many Organizations assume traditional firewalls can provide protection against DDoS and zero-Day exploits at the perimeter, yet this is not what they were designed to do and therefore attacks are still getting through.”

For DDoS protection click here.


Distributed denial-of-service attacks aim to bring portions of a network down by bombarding the network with requests, and U.S. financial institutions have been prime targets, hit by attacks that rendered their websites unavailable to customers.

These five tips can help maintain your financial institution’s network and cyber security posture while decreasing the risk and potential collateral damage of DDoS attacks.

Start with the Basic Security Objectives

Financial enterprises should consider implementing controls as they relate to the three main tenets of information security, the CIA triad. These principles are confidentiality, integrity and availability and are the foundation of any information security policy infrastructure.

Confidentiality refers to the safeguarding of sensitive or classified data; integrity refers to keeping the original data unadulterated and intact; and availability refers to the resources and data that need to be continuously available to authorized parties to maintain day-to-day business.

While the CIA triad is important for every network, it is especially vital for the financial sector where classified data can consist of personal information that must be protected due to regulatory compliance.

Implement an Effective Security Information Management Solution

Another early stage security measure is utilizing a highly effective Security Information Management solution or Security Information and Event Management solution. The exact solution depends largely on the size and needs of your financial enterprise, and both are designed to increase the visibility of telemetry within the enterprise network or on its boundaries.

A SIM solution carries out the collection, storing, alerting and reporting on the data whereas SIEM solutions combine SIM with a Security Event Management component that processes logs in order to create alerts from connected events.

Both solutions have a wide range of capabilities, including compliance-related functions, such as the retention of messages and creation of reports specifically designed to address audit or compliance concerns. Audit and compliance issues are major concerns within the financial sector, and a strong SIEM can provide the additional visibility an enterprise needs to decrease the resolution time of an incident.

Integrate Advanced Evasion Technique Protection

Advanced Evasion Techniques consist of an evasive technique that lets intruders bypass security detection and logging during network security reconnaissance. In addition to bypassing network security, they are usually stackable through simultaneous execution on multiple protocol layers, capable of changing dynamically even in the midst of an attack and consist of numerous combinations of evasion techniques and modifications.

AET protection requires zero-day protection in all layers as well as deep packet inspection across multiple network layers and protocols. AET protection components should also have integration capabilities, a full range of features, high manageability and infrastructure patch capabilities.

AETs are especially dangerous to the financial sector where, once again, extremely sensitive information is at stake in a highly regulated environment.

Establish Web and Content Controls

Web and content controls are integral for inspecting and blocking unauthorized access to sites and dangerous active content. Active content in the broadest sense consists of electronic documents that are designed to automatically invoke actions or trigger a response within a system without the assistance of an individual, phone-home type of behavior. Such content is a major hazard due to its automation and the fact that an individual may not directly or knowingly execute the actions.

Electronic documents have an added component of danger when they are actually programs or consist of programs that can be self-triggered, requiring no user intervention, and result in the same type of actions executing a program would entail. Because active content can be a death knell for the integrity of a financial network, protection against triggered behaviors is necessary, as is requiring user intervention to open executables, and strong authentication, authorization and accounting.

Employ Digital and Network Forensics

Digital and network forensics are particularly essential for dealing with DDoS in the financial sector as both serve to provide added visibility, remediation and legal response capabilities.

Digital forensics relates directly to legal response capabilities, as it deals with discovering and analyzing electronic data for use in a potential court case. Network forensics seeks to pinpoint the source of a security incident or attack by capturing, recording and analyzing network events.

Lacking either process opens your financial enterprise to additional legal ramifications and a higher risk of repeated attacks.

For DDoS protection click here.



The al Qassam Cyber Fighters resumed prolonged attacks against banks and hit more institutions simultaneously, with the longevity of the attacks fueling speculation that the attackers are well-funded.

Alleged hacktivists again launched denial-of-service attacks against major U.S. banks last week, causing some disruption at a handful of financial institutions.

While the group behind the attacks continue to pose as hacktivists, the longevity of the campaign—now entering its sixth month—has some security experts arguing that the attacks are a well-funded operation.

On March 5, al Qassam Cyber Fighters (QCF) launched their latest attacks against banks, posting a message on Pastebin stating that nine banks would be targeted by denial-of-service attacks during the week. Unlike previous network floods, the current attacks have simultaneously inundated a handful of banks with a deluge of traffic consuming bandwidths from 10G bits up to 40G bits, said Carlos Morales, vice president of global sales engineering and operations for network-protection firm Arbor Networks.

“They clearly have gotten more sophisticated over time,” Morales said. “They are doing their homework. A lot of the banks have reported that they seeing probing and smaller attacks before the larger attacks, so the attackers are taking into account what the banks are serving up and customizing the attacks to take advantage of the banks’ defenses.”

The QCF attacks started in September 2012, targeting banks allegedly in retaliation for the posting of a video to YouTube that offended many Muslims. U.S. officials believe that Iran is carrying out or funding the attacks, according to a January report in The New York Times. The servers used in the attacks have also been used for criminal purposes, suggesting that the attackers are using criminal activities to fund the attacks or hiring time on criminal botnets to boost their capabilities.

The current attacks have targeted Bank of America, BB&T, CapitalOne, Citibank, Fifth Third Bancorp, JPMorgan Chase, PNC, UnionBank, and U.S. Bank, according to the QCF post.

The attacks are meant to be a nuisance to banks and cost them money, not take them offline, Arbor’s Morales said.

“This whole thing strikes me as a huge amount of saber rattling,” he said. “This is not about taking down the financials. If that was the case, they would not announce it.”

Defending against distributed denial-of-service (DDoS) attacks is not cheap. In a report released on March 12, managed-security firm Solutionary estimated that organizations spend as much as $6,500 an hour to recover from DDoS attacks—a number which does not include any lost revenue due to downtime.

The incidents do not seem like the work of hacktivists, who, in the past, attacked a company or site only long enough to gain attention and then moved on. The focus of the QCF group on repeatedly hitting the same targets for many months suggests other motivations, said Morales.

In its “State of the Internet” report for the third quarter of 2012, Internet security and content-delivery platform Akamai came to the same conclusion.

“While the attackers claimed to be hacktivists protesting a movie, the attack traffic seen by Akamai is inconsistent with this claim,” the company stated in the report. “The amount of attack traffic that was seen during these attacks was roughly 60 times larger than the greatest amount of traffic that Akamai had previously seen from other activist-related attacks. Additionally, this attack traffic was much more homogenous than we had experienced before, having a uniformity that was inconsistent with previous hacktivist attacks.”

For DDoS protection against your eCommerce site click here.


The resumption this week of distributed denial of service attacks against major U.S. banks brought not only more cost and disruption to financial institutions trying keep online services available, but it also raised new questions about the funding and true motives behind the attacks.

A number of service disruptions were reported this week as Izz ad-Din al-Qassam Cyber Fighters lived up to their promise on Pastebin to kick off a third round of DDoS attacks in protest of the continued availability of the movie “Innocence of Muslims” on YouTube. These attacks, however, are much different than the one-and-done types of DDoS attacks preferred by other socially and politically motivated groups.

Banks are no stranger to DDoS attacks, but since September, these attacks in particular have been noteworthy for the amount of traffic generated toward the banks, as well as for their targeting of applications and specific features available on the banking sites, the steady growth in the number of web servers used in the attacks, and the automated tools being used. Add it all up and it equals some hefty funding and know-how, either hackers bred in-house, or contracted from the outside.

“There’s no doubt in my mind that this is well funded at some level,” said Arbor Networks director of security research Dan Holden. “There’s no way this can go on for this long and with this type of investment without someone caring. Historically, if you look at hacktivism, it’s been driven by some sort of incident and usually they can’t drive an operation for this long. Usually they just lose interest.”

Attribution is always challenging in any kind of attack and it’s premature to call these attacks state-sponsored, but there has been skepticism from the outset about this particular campaign. Dmitri Alperovich, cofounder and CTO of security company CrowdStrike, told Threatpost in September the protestations over the movie were a red herring.

“I don’t buy that their motivation is in response to the video; this group has been carrying out attacks for months,” he said. “Their motivation is to send a message that this is what they’re capable of.” Alperovich said the group’s name is the same as the military wing of Hamas and it claims to have a Jihadist cause, he said. “If a terrorist group is interested in sending a message to us, this is one way of doing so. It’s relatively inexpensive and powerful message.”

The group behind these attacks has evolved its capabilities and is using a number of automated toolkits, including Brobot and itsoknoproblembro to carry out not only high-volume attacks of upwards of 70-100 GBps, but they’re able to do so against simultaneous targets. And this is more than just pinging a banking site with hundreds of thousands of synflood calls; the attacks are also application centric. In some cases, they’re going after application log-ins or trying to continuously download large files such as user agreements, policy statements and more.

The attackers are also using compromised web servers to fire off these requests, and according to experts, seem to be using simple Google searches to find vulnerable servers with PHP vulnerabilities or other flaws that are easily exploitable. Web servers have a lot more bandwidth than a compromised home machine, for example, thousands of which make up traditional botnets used in DDoS campaigns. Owning a web server, very much an old-school method of DDoS attacks against targets, is much more efficient for the attacker than waiting for clients to become infected with a Java exploit and malware, for example.

“The average home user has 10 MBps capabilities with broadband, with an upload speed of 1.5 MBps. To use that as a tool to attack the banks, to get 70 GBps, I would need 70,000 users,” said Barry Shteiman, senior security strategist at Imperva. “Web servers by designed are supposed to serve a large amount of users with half or 1 GBps of upload speed. I would need only 70 to 150 servers to get the same result.”

Taking this approach, Shteiman said, keeps costs down for an attacker. Using a Google search can render a long list of vulnerable web servers that are easy to find and difficult to patch. This is much simpler than writing or buying an exploit that bypasses a lot of client-side protections.

“If I know it’s going to take a lot of effort and money and bypass protections on user platforms, I need to find the best vector,” Shteiman said. “On websites, a lot of vulnerabilities are far less patched; we know most organizations are not covering Web threats.”

The banks, meanwhile, are defending well against these attacks, experts said, though they too have to spend more and evolve as attacks do.

“The attackers’ focus on a particular site is increasing because the banks’ defenses are so good at this point,” Arbor’s Holden said. “DDoS is not a set-and-forget type of defense. Because these attacks are so targeted a lot of people are no doubt still involved in defending against them; a lot of folks are not sleeping right now.”

Holden said he’s not surprised given the presumed funding, that the attacks and capabilities have grown.

“They have to in order to keep the campaign growing,” he said. “I expect to see further tool development, possibly targeted tools depending on how a bank website is built and structured. They’re learning about defenses for each particular site. Based on what they learned and what’s working, they are able to create tools with a particular site in mind.”


JEA’s website has been hit by a “denial of service attack,” knocking out the company’s website and payment system.

The Jacksonville-based utility told our news partner Action News Jax that is being “inundated with data,” starting overnight Sunday.

As of 2:15 p.m. Tuesday, the site was still down.

The problem is a “corporate internet connectivity event,” JEA said, and is impacting payments through its automatic phone system.

Payments made through third parties, such as Winn-Dixie and the tax collector, are being processed. Payments are still being taken at JEA’s Downtown office and requests for stop/start and reconnect orders are working as well.

There is no timeline for a fix, Action News Jax reports.

Attacks on large company’s websites and servers has been frequent in recent months. SunTrust was hit by a cyber attack in October 2012 and Bank of America, Chase and Citi were attacked by Iranian hackers the month before.

The attacks led to several of the major banks to ask the government for help to block the Iranian attacks.

JEA is the seventh-largest community-owned electric utility in the United States and one of the largest water and sewer utilities in the nation providing electric, water and sewer service to residents and businesses in northeast Florida.