Target of Massive DDoS Attack and Ransom Demand, Lloyds Banking Group Manages to Fend off Cybercriminals

By on Jan 30, 2017

This blog was written by Maneeza Malik.

In the matter of 48 hours, over 20 million customers couldn’t check their  bank accounts online. And it’s all because of two people. Two cybercriminals, to be exact, who worked in tandem to conduct a DDoS (distributed denial of service) attack against Lloyds Banking Group. The end goal? Demand a ransom from the banking group, which they knew would be desperate to restore access back to its irritated customers.

 So how exactly did this DDoS attack work? To start, the cybercriminals bombarded the widely-used British bank’s online platform with millions of fake requests designed to grind the group’s systems to a halt. That halt managed to last almost three days, denying access to millions upon millions of customers across the U.K.

Then, the pair sent an email to a Lloyds Bank executive, pretending to be a consultant offering to restore the bank’s system and get it back online for a small fare of 100 Bitcoin (£75,000 / $94,000). Luckily, the disguised ransom extortion failed, as the cybercriminals’ bitcoin address still has zero balance with zero transactions made. As an added bonus, it seems no accounts were hacked or compromised during the attack, and service has returned back to normal.

Lloyds IT security experts are to thank for that, who “geo-blocked” the source of the attack, which is a security technique that effectively drops a portcullis over the server launching the attacks but also stopped legitimate customer requests from that area, too.

Though no customer data has been stolen and service is back online, this cyberattack is an unfriendly reminder about the nature of DDoS attacks, their ability, and their true impact.

Joe Bernik, McAfee CTO for Financial Services, noted that the attack is nothing new, but attacks like it aren’t going anywhere. “As one of the oldest forms of internet-borne attacks, DDoS attacks are effective and popular because the internet architecture and protocols it uses easily lend themselves to this form of attack. Therefore, it makes sense that the attack on Lloyds’ banking platform is similar to the DDoS attacks that impacted large U.S. banks in 2013 and 2014 as well.”

Bernik continued, “Adding to this ease, DDoS attacks are highly visible by nature, and easy to perform, given the availability of ‘for hire’ botnets.  It’s also important to remember that—especially in cases like Lloyds Bank—a DDoS attempt can be part of a larger attack and could just be a detractor used to redirect security resources.”

Indeed, such attacks are something all banks need to be aware of in order to be on high alert. They need to look for threats and evasive attacks across their entire network and across all omni-banking touch points.

There is nothing unique here.  Yes DDOs attacks are here to stay.  As are cyber threats/attacks of all sorts. The bigger question is….banks need to shift their security posture to take a more offensive stance and not only be at the other end of the fire hose.  Granted that’s easier said than done.  They also need greater visibility “holistic view” into their security posture versus multiple myopic lenses that may hamper the ability to proactively detect and block attacks.  What did we learn about this attack on Lloyds bank….that customers started to report that they could not access their accounts which then triggered an alert.  Detecting and blocking attacks on the onset will continue to be both a challenge and a desired goal for banks. Whether it’s a DDos attack, zero-day attack or some other form of evolving and emerging threat.

About the Author

McAfee Enterprise

McAfee offers industry-leading cybersecurity solutions for all business and enterprise needs. See our blog to stay up-to-date with the latest security trends

Read more posts from McAfee Enterprise

  1. In my opinion, all DDoS attacks can be prevented by relaying a servers internet traffic via a “captcha server” that checks authenticity whether the user is human or not. If it passes, then that node is authorized to connect to the server. However, it makes access to one’s account kind of annoying but certain techniques could be used to make it faster and efficient by blacklists and whitelists.

  2. i think should not geo-blocked, better transferring to another CDN for the regional

Subscribe to McAfee Securing Tomorrow Blogs