Bank Website Attacks Reach New Highs

Enrico Fianchini | E+ | Getty Images

Major U.S. bank websites have been offline a total of 249 hours in the past six weeks, perhaps the clearest indication yet that American companies are prime targets in an unrelenting, global cyber conflict.

The heavier-than-usual outages are the result of a remarkable, sustained attack that began seven months ago and repeatedly knocks banks offline for hours at a time, frustrating consumers and bank security professionals alike.

"Literally, these banks are just in war rooms, sitting at controls trying to stop (the attacks)," said Avivah Litan, a bank security analyst with Gartner Group, a consulting firm. "The frightening thing is (the attackers) are not using as much resources as they have on call. The attacks could be bigger."

The denial of service reports were hardly noteworthy at first, hidden in the wake of news that U.S. embassies were under siege during the week of September 11, 2012. But in short order, Bank of America, Wells Fargo, PNC and a number of other banks suffered hours-long website outages.

A group calling itself Izz ad-Din al-Qassam Cyber Fighters released an anonymous statement saying it was attacking banks in sympathy with real-world protestors who were reacting to an anti-Islam film that had been posted online.

Seven months later, the group is still taunting the U.S. financial system, with notice almost daily from another bank that had to apologize for letting down its customers. American Express and Wells Fargo issued statements last week saying they suffered outages. Even with advance notice, the biggest financial institutions in the world can't seem to stop them.

No one interviewed for this story believes that a perceived insult over a Web movie is the attackers' motivation, as the al Qassam messaging has stated. Though some considered that it might be the work of attention-seeking teen-aged hackers, they would likely have grown bored, or run out of resources, long ago.

In the fall, national security officials speaking on background told several media outlets, including NBC News, that they suspected the Iranian government was behind the attacks. It seems certain that an organized group, with both a political motive and the ability to fund the operation, is to blame.

Keynote Systems, which provided the compilation of bank outages exclusively to NBC News, measures website availability by checking sites every five minutes and logging the results. (To see a chart of these attacks, click here.)

It works with major banks to set up "dummy" accounts so its computers can log in and make sure online banking services are available, and constantly checks the largest 15 U.S. banks.

Websites go offline for a variety of reasons — late-night software upgrades, for example — and some outages are to be expected, said Aaron Rudger, a Keynote spokesman.

Still, 249 hours during a six-week period (ending March 31) is significant, indicating those bank websites were unavailable for about 2 percent of the time during that stretch.

For comparison, during the same six weeks a year ago, the same bank websites were down 140 hours. Keynote has no way of knowing why a site is unavailable, but Rudger was comfortable inferring that the so-called al-Qassam attacks were responsible for most of the increase.

Rodney Joffe issued chilling advice to banks preparing for an al Qassam-style attack last fall: Prepare a sincere-sounding apology, he said at the time. Given the volume of apologies since then, he turned out to be right.

"It goes on and on and on ... It's like they are kicking sand in someone's face, reminding people that they are there," said Joffe, who is senior technologist at Internet infrastructure company Neustar, which helps companies fight denial of service attacks.

"You just have to ask yourself, 'Why?' (The attackers) just seem to enjoy being able to say 'On an ongoing basis, we can make life uncomfortable for your banking industry.'"

Not everyone thinks the bank site outages are such a big deal.

Michael Smith, director of the customer security incident response team at Akamai Technologies, which provides website performance optimization and security for some of the companies targeted in the attacks, points out that customers have plenty of other ways to manage their money, and the outages haven't amounted to much more than an irritant.

More importantly, he says al Qassam has begun targeting smaller banks and other kinds of websites as larger banks become more successful at fending off their attacks or shortening the outages.

The attackers also took a hiatus for part of February—Smith says to invent new attack techniques, probably—and have ceased tipping off targets ahead of time with weekly press releases.

"We aren't seeing as many notifications that sites are down as we were. The impact just is not as dramatic as it was," Smith said. "They are changing tactics and trying to generate more attention, more press."

Joffe says this is part of their strategy.

"The bad guys here are using just enough of their firepower to achieve their objectives and not more," Joffe says. "They are creating a disruption to the banking industry. ... We already know if they wanted to make it bigger attack, they could, but it seems pretty clear that's not their intention."

More from NBC News:

Celebrity hackers stole data from, Equifax says

Google pays $7 million to settle 'Wi-Spy' case filed by states

Why consumer agency must go, and why it should be saved