DDoS Protected Hosting

Prominent Group of DDoS Attackers Announce Phase 4

Izz ad-Din al-Qassam Cyber Fighters, the group behind three phases of distributed-denial-of-service attacks against banks since last September, now says more attacks against U.S. banks are on the way. The group made its announcement in a July 23 posting on the open forum Pastebin.

al-Qassam Cyber Fighters hasn’t attacked since the first week of May, when it announced it was halting attacks for the week, in honor of Anonymous’ Operation USA. But the group has remained quiet since then, apparently bringing to a close its third phase of attacks, which began March 5 (see New Wave of DDoS Attacks Launched).

Experts who’ve been following the group’s DDoS attacks say this fourth phase was expected and likely will follow the pattern of earlier phases.

“The QCF always start out a phase of Operation Ababil with something new,” says Mike Smith of online security provider Akamai Technologies. “It might be new targets, a larger botnet, new techniques, etc. This is how they try to evade the protections that the targets have deployed. They’ve also demonstrated a bit of showmanship in the past with announcing the attack before they resumed hostilities, and this could be another tactic to generate more press buzz.”

‘A Bit Different’
In its most recent post, al-Qassam Cyber Fighters says: “Planning the new phase will be a bit different and you’ll feel this in the coming days.”

John LaCour, CEO of cyber-intelligence firm PhishLabs, says the group’s plans for different attacks are in response to banking institutions’ heightened DDoS-mitigation strategies. “Major banks had improved their defenses prior to the quiet period,” he says. “If new types of attacks appear, then banks will need to be prepared to respond quickly to prevent significant impact to their online services.”

Based on the impact of the first three phases of DDoS attacks, LaCour notes: “Today’s announcement should put financial organizations on high alert for future attacks seeking to disrupt their online operations.”

In its post, al-Qassam also says, “The break’s over and it’s now time to pay off. After a chance given to banks to rest awhile, now the Cyber Fighters of Izz ad-Din al-Qassam will once again take hold of their destiny.”

Brobot’s Growth
So far, the only activity DDoS experts have noted is growth and maintenance of the botnet, known as Brobot, used in the previous three phases. No attack activity against banking institutions was apparent as of the afternoon of July 23.

Although experts did not directly link PDF download attacks waged in late June against two mid-tier banks to al-Qassam, some speculated those may have been a test for the next phase of attacks (see Another Version of DDoS Hits Banks).

LaCour told Information Security Media Group in early July that new code files linked to Brobot had been identified on compromised web servers the hacktivists had taken over. “The new code we see on these web servers is one of the strong indicators that the botnet is being rebuilt,” he pointed out.

The code behind the malware had changed and included configurations not seen in the first three phases, LaCour said.

Multiple Phases
Phase three of the attacks, which ran for eight weeks, lasted longer than the earlier phases. The first campaign, which began Sept. 18, lasted six weeks. The second campaign, which kicked off Dec. 10, lasted only seven.

Experts won’t speculate about how long this fourth phase might last, although al-Qassam does include a complex formula in its July 23 post to hint at how long the attacks could drag on.

But financial fraud expert Avivah Litan, an analyst with the consultancy Gartner Inc., says the timing of this latest announcement is not surprising, given that she believes there’s little doubt these attacks are backed by Iran.