Distributed denial of service attacks have been used to divert security personnel attention while millions of dollars were stolen from banks, according to a security researcher.
At least three US banks in recent months have been plundered by fraudulent wire transfers while hackers deployed "low powered" DDoS attacks to mask their theft, Avivah Litan, an analyst at research firm Gartner, told SCMagazine.com. She declined to name the institutions affected but said the attacks appeared unrelated to the wave of DDoS attacks last winter and spring that took down Web sites belonging to JP Morgan , Wells Fargo, Bank of America, Chase, Citigroup, HSBC, and others.
"It wasn't the politically motivated groups," she said. "It was a stealth, low-powered DDoS attack, meaning it wasn't something that knocked their website down for hours."
Litan described the attack method in a blog post last week that warned banks' losses could have been much greater.
"Once the DDoS is underway, this attack involves takeover of the payment switch (eg, wire application) itself via a privileged user account that has access to it," she wrote. "Now, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move as much money from as many accounts as they can get away with until their actions are noticed."
Litan, an expert in financial fraud and banking security, did not describe how attackers gained access to the wire payment switch at banks, but she offered banks advice on how they might better protect themselves.
"One rule that banks should institute is to slow down the money transfer system while under a DDoS attack," she wrote. "More generally, a layered fraud prevention and security approach is warranted."
Security researchers have previously highlighted the growing trend of using DDoS attacks to hide fraudulent activity at banks. The Dell SecureWorks Counter Threat Unit issued a report (PDF) in April to warn that a popular DDoS toolkit called Dirt Jumper was being used to divert bank employees' attention from attempted fraudulent wire transfers of up to $2.1 million.
In a joint statement (PDF) issued last September with the Financial Services Information Sharing and Analysis Center and the Internet Crime Complaint Center, the FBI warned that the $200 Dirt Jumper toolkit was being used as a smokescreen to cover fraudulent wire transfers conducted with pilfered employee credentials.
"In some of the incidents, before and after unauthorized transactions occurred, the bank or credit union suffered a distributed denial of service (DDoS) attack against their public Website(s) and/or Internet Banking URL," the report said. "The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer."