Share story

SAN FRANCISCO — The hackers often struck late on Fridays, starting about a year ago, sending skeleton crews at more than a dozen European banks rushing to keep bombardments of digital gibberish from crashing their websites.

Damaging as the bandwidth-choking attacks were, they were merely smoke screens. Once employees dropped their guard to fight one attack, hackers struck again, exploiting the openings to steal account information and create counterfeit debit cards.

One attack was so fast that within two hours $9 million was withdrawn from automated teller machines in 46 cities, according to Francis deSouza, president of products and services for Symantec, the Mountain View, Calif., information-security company that investigated the incidents.

Symantec’s findings show that the attacks, which have been around for years, have evolved from nuisances causing temporary website outages into one of the cheapest and most effective ways to rob banks. They’ve become the online equivalent of a common street hustle, with the initial assault being the shiny object that distracts bank security teams long enough to pick customers’ pockets.

Tens of millions of dollars were stolen in the past year in two-pronged attacks that banks didn’t notice until customers complained or investigators later uncovered the breaches, said Samir Kapuria, a Symantec vice president who led the research.

“The problem is everyone is focusing on the fact someone has set fire to your front yard, and while you’re staring at the front yard someone is coming in through the back door,” said Tom Kellermann, a former security specialist with the World Bank and now vice president of cybersecurity for Trend Micro, a Tokyo security-software maker.

The attacks targeting banks are known as distributed denial-of-service, or DDoS, in which hackers flood a computer system with information to shut it down.

While some banks have acknowledged the attacks have damaged their websites, Symantec’s research shows hackers have reached deeper than institutions have been willing to acknowledge.

The websites of U.S. banks were down a record 249 hours in six weeks in February and March, when they were being heavily attacked, according to Keynote Systems, a San Mateo, Calif., company that measures websites’ response times.

The U.S. Comptroller of the Currency, in an alert in December, said DDoS attacks previously regarded as political statements have become part of broader invasions aimed at compromising customer accounts. It didn’t give examples, and Stephanie Collins, an agency spokeswoman, declined to comment beyond the alert.

Symantec’s research focused on European banks, and it’s not clear what losses U.S. banks and their customers have sustained in similar attacks.

Only Citigroup among the largest U.S. banks has disclosed losses from DDoS and other cyberattacks to investors this year. It characterized them only as “certain limited losses in some instances.”

A group calling itself Izz ad-Din al-Qassam Cyber Fighters has taken responsibility for attacks against Bank of America, JPMorgan Chase, PNC Financial Services and others, claiming they were in response to a video uploaded to YouTube ridiculing the Prophet Muhammad and offending some Muslims.

Iran’s government and its elite Qods Force were probably behind the attacks, retaliating against U.S.-led economic sanctions, now retired Sen. Joe Lieberman, then chairman of the Homeland Security Committee, said in September.

The two-pronged attacks have taken several forms, according to Kellermann and Synmantec officials who have analyzed their patterns.

In the more common form, hacking groups plant malicious software inside a bank’s systems, then wait until they notice another group, such as Izz ad-Din or Anonymous, mounting a distributed denial-of-service attack. At that point, they swoop in, activate their software and raid compromised accounts.

The approach brings together unlikely groups: cybercriminals who break into computers to steal money, and cyberwarriors who hack to make political statements.

“We are already seeing a convergence of DDoS attacks and fraud, in some cases by the same actors who are not the Iranians but are other opportunistic gangs,” Avivah Litan, a banking-security analyst with research firm Gartner.

“We are also seeing the different actors borrow, buy and steal from each other, so that cybercriminals are using cyberwarrior tactics and code, and cyberwarriors are using cybercriminal tactics and code,” Litan said. “The big question is whether the nation-state actors, i.e. the Iranians, will start stealing money out of accounts.”

Some of the more sophisticated Eastern European hackers now mount both stages of attacks themselves, Kellermann said.

DDoS attacks can be effective diversions because they can overwhelm fraud-detection systems and banks react strongly to them, out of concern that website outages will damage their reputations, Kellermann said.

The two-pronged approach also helps explain why bank websites often haven’t crashed for more than brief periods: because hackers don’t want them to.

Often they’ve crippled sites just enough so they can access target accounts while customers can’t, and therefore won’t notice their money’s gone until after the attacks end, Litan said.

Many banks are now being hit with assaults on their phone and data networks at the same time, said Jim Grubb, a vice president at Cisco Systems.

The idea is to prevent customers from being able to access their accounts online or over the phone while criminals are withdrawing money from ATMs or racking up credit- card charges.

Last year, Grubb described an attack against a bank’s phone network that prevented customers from calling in to stop fraudulent transactions.

Banks need denial-of-service protections that go beyond defenses offered by their network providers, which often can’t detect attacks on the banks’ specific applications, Gartner’s Litan said. They also need to increase training for call-center staff to spot suspicious transactions, he said.

And in the worst-case scenario? “An emergency off button to stop all money transfers,” Litan said. “This should never have to be used but is important to have, just in case.”