Feeds

HSBC websites fell in DDoS attack last night, bank admits

Hacktivists blamed for online banking blackout

Providing a secure and efficient Helpdesk

Updated HSBC has blamed a denial of service attack for the downtime of many of its websites worldwide on Thursday night.

Various Reg readers told us they were unable to reach the HSBC UK and First Direct websites on Thursday, leaving them unable to carry out internet banking services. Problems kicked in just before 20.00 BST and lasted for around seven hours.

Unconfirmed reports suggest that HSBC was targeted by the Izz ad-Din al-Qassam Cyber Fighters as part of a current campaign (see Pastebin post*) to get the controversial Innocence of Muslims video removed from YouTube. The group also took credit for interrupting customer access to the websites of Capital One earlier this week, again without warning, WSJ reports. The same group staged a series of digital sit-in (denial of service) attacks against US banks including Bank of America and Chase last month.

Security researchers analysing the earlier attacks quickly came to the conclusion that they were largely powered by botnet networks of malware-infected PCs.

In a statement, HSBC said that attacks had affected customers worldwide, and reassured clients that sensitive account data was not exposed by the attack.

On 18 October 2012 HSBC servers came under a denial of service attack which affected a number of HSBC websites around the world.

This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking.

We are taking appropriate action, working hard to restore service. We are pleased to say that some sites are now back up and running.

We are cooperating with the relevant authorities and will cooperate with other organisations that have been similarly affected by such criminal acts.

We apologise for any inconvenience caused to our customers throughout the world.

An updated statement from HSBC says that by 03.00 BST, it had brought all its websites worldwide back into service.

Darren Anstee, EMEA solutions architect team lead at Arbor Networks, said: “Recent attacks have used what we call multi-vector attacks, attacks which utilise a combination of volumetric, and application layer attack vectors. What we are seeing here are TCP, UDP and ICMP packet floods combined HTTP, HTTPS and DNS application layer attacks. Attackers are doing this because they know it makes the attacks more difficult to deal with, but not impossible if we have the right services and solutions in place." ®

* Has anyone solved for "Panetta" (US Justice Department Secretary) yet?

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.