The attacks apparently occurred from about 10:30 a.m. until 2:30 p.m. ET on Tuesday, says one DDoS-tracking source, who requested anonymity. "We have not seen anything yet today," the source told Information Security Media Group on Jan. 29. Both banks' websites were up and running midday Jan. 29.
The European Cyber Army claims to have targeted the United States' two leading banking institutions without warning, according to a string of tweets the group posted Jan. 28. But the attackers suggest a target list may soon be released.
"First it was the Bank of America! Now it's Chase banking! Strike Package FoxTrot nukes Chase's Website! #Nuked >>> http://Chase.com ," one tweet reads. A later tweet states, "All Your BandWidth will Velong [belong] to the European Cyber Army! We will be Releasing a possible Target List soon!"
The European Cyber Army has recently taken credit for DDoS attacks against other organizations and sectors, including the federal court system, according to tweets posted by the group and various news media reports. Since the beginning of January, the group has been linked to disruptive online attacks waged against various companies and organizations in the U.S., Asia, Europe and the Middle East, according to news reports.
Bank of America and Chase did not immediately respond to Information Security Media Group's request for comment about the alleged attacks.
But customer comments posted on Twitter on Jan. 28 complained of online outages at the two banks. And several executives at organizations that track DDoS activity confirm that they saw indications two leading U.S. banks were hit Jan. 28. Two of those sources, who asked to remain anonymous, say the attacks appeared to be aimed at BofA and Chase. They say both banks suffered significant DDoS strikes similar to the size of the attacks waged by the self-proclaimed hacktivist group Izz ad-Din al-Qassam Cyber Fighters against U.S. banking institutions from the fall of 2012 to the summer of 2013 (see DDoS: Prepare for the Next Wave).
While Izz ad-Din al-Qassam's attacks appeared to have stopped in August of 2013, numerous DDoS-tracking sources say they have linked the Jan. 28 attacks to al-Qassam's botnet, known as Brobot.
The Jan. 28 attacks used an old SQL injection vulnerability to install "backdoors" that ran traffic generating code, says John LaCour of PhishLabs, an online security firm that tracks cyber-attacks. LaCour was the only DDoS-tracking source willing to go on the record.
"PhishLabs has confirmed that recent exploitation of Kloxo control panel software is related to DDoS attacks launched on January 28th," he says.
The Financial Services Information Sharing and Analysis Center, which in October 2012 spearheaded industry information sharing to mitigate DDoS risks, would not comment about Jan. 28's alleged strikes against BofA and Chase.
Customer complaints posted on Twitter about difficulty accessing BofA's and Chase's online banking platforms suggest interruptions in service cropped up Jan. 28.
"Hello @BofA_Help. You know what would really "help"? A status on the online banking outage. Thanks so much. #BofA," one comment tweeted at 9:28 a.m. ET on Jan 28 reads. At 8:43 a.m. ET on Jan. 28, the online monitoring site known as SiteDown.com sent this tweet: "Bank of America site is down or having issues, based on traffic and reports at http://sitedown.co/bank-of-america #BankOfAmerica #bofa."
Regarding Chase, a user noted Tuesday afternoon that the site could not be found: "@ChaseSupport so any word on your website? it seems to not exist currently. Nothing responds and website is unavailable #chasebank."
During the same time frame, another user tweeted, "Can't sign on to #chasebank again. Getting kinda tired of this. Get it together people."
A third noted: "#chasebank website is down. Noooooooooo work can be completed now #WorkInappropriate."