The Boston Globe

Business

Boston.com

Six big banks targeted in online attacks

Group claims credit, cites anger over Islam video

By Nicole Perlroth

 |  New York Times  

  October 01, 2012

A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters said it was beind the denial-of-service attack on Bank of America and other institutions.

Stan Honda /AFP/Getty Images/file2012

A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters said it was beind the denial-of-service attack on Bank of America and other institutions.

NEW YORK — Six major US banks were hit in a wave of computer attacks last week, by a group claiming Middle Eastern ties, that caused Internet blackouts and delays in online banking.

Frustrated customers of Bank of America, JPMorgan Chase, Citigroup, US Bank, Wells Fargo, and PNC, who could not get access to their accounts or pay bills online, were upset because the banks had not explained clearly what was going on.

‘‘It was probably the least impressive corporate presentation of bad news I’ve ever seen,’’ said Paul Downs, a small-business owner in Bridgeport, Pa. ‘‘This is extremely disconcerting.’’

The banks suffered denial-of-service attacks, in which hackers barrage a website with traffic until it is overwhelmed and shuts down. Such attacks, while a nuisance, are not technically sophisticated and do not affect a company’s computer network — or, in this case, funds or customer bank accounts. But they are enough to upset customers.

A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters — a reference to Izz ad-Din al-Qassam, a Muslim holy man who fought European forces and Jewish settlers in the Middle East in the 1920s and 1930s — took credit for the attacks in online posts.

‘It was probably the least impressive corporate presentation of bad news I’ve ever seen.’

Quote Icon

The group said it had attacked the banks in retaliation for an anti-Islam video that mocks the prophet Muhammad. It also pledged to continue to attack US credit and financial institutions daily, and possibly institutions in France, Israel, and Britain, until the video is taken offline. The New York Stock Exchange and Nasdaq were also targeted.

On Friday, PNC became the latest bank to experience delays and fall offline. Customers said they had been unable to access PNC’s online banking site, and those that visited the bank’s physical locations were told it was because PNC, and many others, had been hacked.

Fred Solomon, a PNC spokesman, said Friday afternoon that the bank’s website was back online, but that it was still working to restore online bill payment. Asked why the bank was not better able to withstand such an attack, he said that while PNC had systems in place to prevent delays and disruption from hacker attacks, in this case ‘‘the volume of traffic was unprecedented.’’

Representatives for other banks also confirmed that they had experienced slow Internet performance and intermittent downtime because of an unusually high volume of traffic.

Security researchers said the attack methods were too basic to have taken so many US bank sites offline. The hackers appeared to be enlisting volunteers for the attacks with messages on various sites.

On one blog, they called on people to visit two Web addresses that would cause their computers to flood banks with hundreds of data requests a second. They asked volunteers to attack banks according to a timetable: Wells Fargo on Tuesday, US Bancorp on Wednesday, and PNC on Thursday.

But experts said it seemed implausible that this method would create an attack of this scale.

‘‘The number of users you need to break those targets is very high,’’ said Jaime Blasco, a security researcher at AlienVault who has been investigating the attacks. ‘‘They must have had help from other sources.’’

Those sources, Blasco said, would have to be a group with money, like a nation, or botnets — networks of infected computers that do the bidding of criminals. Botnets can be rented through black-market schemes that are common in the Internet underground, or lent out by criminals or governments.

Last week, Senator Joseph I. Lieberman, Independent of Connecticut and chairman of the Homeland Security Committee, said in an interview on C-SPAN that he believed Iran’s government had sponsored the attacks in retaliation for Western economic sanctions. The hacker group rejected that claim. In an online post, it said that the attacks had not been sponsored by a country and that its members ‘‘strongly reject the American officials’ insidious attempts to deceive public opinion.’’

James A. Lewis, a computer security expert at the Center for Strategic and International Studies, said that in this case, the attack methods used were ‘‘pretty basic’’ to have been state-sponsored.

But he added that even if the attacks were not the work of Iran’s government, the state would be aware of them because Iran monitors its networks extensively.

For Downs, the small-business owner in Pennsylvania, such explanations were of little consolation. ‘‘A major bank has a problem and gives no indication of what’s happening, when it started, or when it will stop,’’ he said. ‘‘That’s pretty freaky if it’s your own business’s money and you need to do things with it.’’