American Express joins the ranks of US banks attacked by al-Qassam group

The al-Qassam group has long been tied to Iran by the US officials. The group itself says it is purely a protest group against the video, and that it will cease its action once the video is removed from the internet (it is available on YouTube, and Google has said that since the video conforms to the YouTube terms of use it will not be removed). When the current phase of attacks against US banks began – this is the third – the al-Qassam group warned that they would attack US banks during the working hours Tuesday, Wednesday and Thursday each week.

An article in Ars Technica, Saturday, makes the point that the Izz ad-Din al-Qassam group is well funded. It quotes Arbor Networks’ Dan Holden: "Regardless of who's behind this, it has to be funded at some level. Even if it's hacktivists, it's got to be funded hacktivism." The al-Qassam group is named after a Muslim preacher “who was a leader in the fight against British, French, and Zionist organizations in the Levant in the 1920s and 1930s.” (Wikipedia). The name is also used by the military wing of Hamas, and there have been suggestions that the hacktivist group is part of Hamas. Hamas has long received a portion of its funding from Iran (although this has reportedly been cut recently because of Hamas’ failure to publicly support Assad in Syria).

If true, this is not in itself a direct connection to Iran, but a connection between the hackers and Iran nevertheless.

Holden believes that al-Qassam funding is necessary because of the maintenance and growth in the botnet used to attack the banks. Unlike the more mainstream hacktivist DDoS attacks from Anonymous, al-Qassam compromises commercial servers on the internet in order to acquire and use greater bandwidth (Anonymous often relies on crowd-sourced volunteers offering their own home computers). "There has been a big investment on their [al-Qassam’s] part to keep the campaign growing,” Holden told Ars Technica. “And they've added some twists and techniques to their tools as time goes on, focusing their attacks more on the particular applications of the banks they're targeting. Now there are particular tools being used for a specific set of banks.”

It would appear that gaps between attacks, and the longer gaps between the different phases of the ‘operation’ are used by the group to refine their attack methodology, and compromise more servers to replace those discovered and thereby increase the intensity of future DDoS attacks. There seems to be no immediate likelihood of any cessation in the attacks – and for the moment we can expect more attacks on more US banks this week.

What’s hot on Infosecurity Magazine?