Industry Spotlight: DDoS Attacks Against Commercial Banks And Payment Card Processors

Richard Hummel, ASERT Threat Intelligence Lead for NETSCOUT, discusses DDoS attacks and explains what financial services can do to defend themselves against them.

As the world continued to feel the effects of the Covid-19 pandemic, online activity remained at a high level during the first half of 2021. Cybercriminals took advantage of this by launching a staggering 5.4 million Distributed Denial-of-Service (DDoS) attacks from January to June 2021, according to the latest NETSCOUT Threat Intelligence Report. These attacks were to disrupt the accessibility and performance of organisations’ online services by intentionally flooding them with traffic. If this level of activity were to continue, the world would be on track to hit close to 11 million DDoS attacks in 2021, which would be a record for a calendar year, surpassing the current record of 10 million attacks which was set in 2020.

In terms of targets, the finance industry was once again on the receiving end of a large number of DDoS attacks, with the report finding that upwards of 50 percent of organisations targeted by DDoS extortion attacks operated in the financial sector. This aligns with a prime target base of the Lazarus Bear Armada DDoS extortion attack campaign, the group responsible for a series of attacks against global financial institutions and organisations, including the New Zealand stock exchange, which began in August 2020.

Looking more specifically at DDoS attacks against commercial banks and payment card processors, the report discovered that more than 7,000 DDoS attacks were launched in the first half of 2021 against these services. While at first glance attack activity against these entities may seem minor when compared to the overall figures, a number of these attacks were successful and had a detrimental effect on both the targeted businesses and downstream consumers trying to operate their credit cards.

What types of attacks are cybercriminals launching against this sector?

Reviewing DDoS attack activity against payment card processing organisations provides us with a handy barometer for changing trends in the tactics of threat actors. As cybercriminals continue to adopt increasingly complex attack techniques, it is apparent that there has been a shift concerning the way in which attack vectors are being utilised.

For example, evidence shows that threat actors have tailored their attack types to overwhelm the multiple layers of on-premises and cloud-based DDoS mitigation in place in order to penetrate organisations’ online infrastructure. In particular, they have increasingly used TCP ACK flood attacks that are designed to overwhelm and inhibit connections between servers against well-known commercial banks and payment card processing services. This has resulted in institutional customers of these services, as well as end customers, being affected by outages and downtime. 

Even a few minutes of downtime can have severe consequences. As credit card processors are capable of servicing around 5,000 transactions every second, a minute of downtime can lead to millions of pounds of lost revenue, not to mention the negative impact this would have on a business’s brand and its customer churn.

How can these services defend themselves?

It is becoming increasingly challenging for businesses in payment card processing to defend themselves from DDoS attacks. In one instance, we observed attackers utilising widely known reflection/amplification vectors to overwhelm the initial layer of protection, after which they used TCP ACK flood attacks to overcome secondary defences. As such, it’s clear that cybercriminals are conducting a thorough amount of research into their targeted organisations’ DDoS mitigation systems prior to attacking, demonstrating the adaptive nature of skilled attackers. It is therefore vital for organisations operating in this sector to have a strong and effective DDoS defence system in place.

By investing in a robust DDoS mitigation system, businesses need not worry about their public-facing online infrastructure if they happen to be hit by a DDoS attack, as the system will be capable of effectively defending the infrastructure. This gives organisations full confidence in the DDoS defence system’s ability to prevent an attack from having a potentially devastating impact. When looking at those companies that have proactively secured their systems by installing an effective DDoS protection system, they have, for the most part, been able to keep the damage done by an attack to a minimum.

What’s more, commercial banks and payment card processors must also have a fool-proof plan of action in place in the event they’re on the receiving end of a DDoS attack. Businesses need to know who to contact and alert should they be the target of a DDoS attack. For example, local regulatory bodies, key stakeholders and security suppliers need to be informed.

Adding to this, organisations in the payment card processing sector should consider having an on-demand DDoS attack expert available to them at all times. Through the use of such an expert, companies will be capable of negotiating unfamiliar circumstances – something which could prove to be extremely beneficial for the company when problem-solving future threats. Due to the constantly changing nature of DDoS attack techniques, an expert can help an organisation to improve its success rate in terms of defending its online infrastructure from DDoS attacks.

With the types of DDoS attacks that cybercriminals are launching continuing to become increasingly complex and difficult to defend, organisations in the payment card processing sector must invest in security that is capable of blocking these sophisticated attacks. This will put these companies in a strong position to protect themselves from threat actors should they be the target of a DDoS attack.

Comments are closed.