Cybercrooks use DDoS attacks to mask theft of banks' millions

Distributed denial of service attacks have been used to divert security personnel attention while millions of dollars were stolen from banks, according to a security researcher.

At least three US banks in recent months have been plundered by fraudulent wire transfers while hackers deployed "low powered" DDoS attacks to mask their theft, Avivah Litan, an analyst at research firm Gartner, told SCMagazine.com. She declined to name the institutions affected but said the attacks appeared unrelated to the wave of DDoS attacks last winter and spring that took down Web sites belonging to JP Morgan , Wells Fargo, Bank of America, Chase, Citigroup, HSBC, and others.

"It wasn't the politically motivated groups," she said. "It was a stealth, low-powered DDoS attack, meaning it wasn't something that knocked their website down for hours."

Litan described the attack method in a blog post last week that warned banks' losses could have been much greater.

"Once the DDoS is underway, this attack involves takeover of the payment switch (eg, wire application) itself via a privileged user account that has access to it," she wrote. "Now, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move as much money from as many accounts as they can get away with until their actions are noticed."

Litan, an expert in financial fraud and banking security, did not describe how attackers gained access to the wire payment switch at banks, but she offered banks advice on how they might better protect themselves.

"One rule that banks should institute is to slow down the money transfer system while under a DDoS attack," she wrote. "More generally, a layered fraud prevention and security approach is warranted.

China's Internet hit by DDoS attack; sites down for hours

China's Internet was taken down in an attack on Sunday that could have been perpetrated by sophisticated hackers or an individual, security experts say.

According to The Wall Street Journal, which earlier reported on the outage, China on Sunday was hit with what the government has called the biggest distributed denial-of-service attack ever to rock its ".cn" sites. The attack, which lasted up to four hours, according to security company CloudFlare, left many sites with the .cn extension down. According to the Journal, parts of the affected sites were still accessible during the outage, due mainly to site owners storing parts of their pages in cache.

In a statement on the matter, the government-run China Internet Network Information Center confirmed the attack, saying that it was indeed the largest the country has experienced. The center said it is gradually restoring services and will work to improve the top-level domain's security to safeguard against similar attacks.

It's not currently known who attacked the Chinese domain. However, in a statement on the matter, CloudFlare CEO Matthew Prince said that while it's possible a sophisticated group of hackers took .cn down, "it may have well been a single individual."