Gibson Index

2013-03-30: (Updated) American Express Online Banking Briefly Affected by Denial-Of-Service

Level Two Attack

The online banking system for American Express was briefly affected by a distributed Denial of Service attack, allegedly launched by a group protesting an anti-Muslim video on YouTube.

The website was fully or partially down for at least two hours, causing some customers to have difficulty accessing their accounts. It appeared that this was entirely an external attack, so it's possible that no customer information or accounts were at risk; however, the update below might indicate that a separate attack has compromised some customer information.

Update (11:30PM PDT, 2013-03-30)

It looks like an additional incident has come to light in this attack. A subdomain, "expcheckoutinfo.americanexpress.com", may have been penetrated & defaced (possibly by Russian hackers). The subdomain appears to be offline at the moment, but there is a tweeted screencap alledging to show evidence of a successful penetration:

I was already on the fence about whether this incident should be classified as Level One Event versus a Level Two Attack, due mainly to the size of American Express's affected userbase. Even if the above tweet turns out to be a hoax or misunderstanding, I am comfortable with upgrading the overall incident to a Level Two Attack.

Original

(Apparently I spoke to soon with the below lecture, but to be fair, the article claiming it was "hacked" may not have been talking about the above penetration)

Headlines like "American Express Confirms Site Was Hacked: Report" do not truthfully convey the limited impact of this incident, as there appears to have been no penetration of the American Express servers. Linked article tries to tie together a patchwork of unrelated incidents (Banking malware, ATM fraud, POS fraud) into a self-proclaimed "frightening" scenario; while caution is warranted, such sensationalistic pieces are a damning indictment of the state of computer security journalism. The New York Times article, "Cyberattacks Seem Meant to Destroy, Not Just Disrupt" is similarly sensational, but does a far more thorough analysis of the scenario to justify their headline.

For the time being, this is a Gibson Level One Event, as was the TD Bank Denial of Service from last week. However, as this attack is allegedly part of a larger "hacktivist" effort (which is thought to be funded by the government of Iran), it is on the high end of Level One and could get upgraded to a Level Two Attack if certain requirements are satisfied (namely, extended or multi-day downtime).

Related Links


comments powered by Disqus