JPMorgan Suffers 45 Billion Cyber Attacks a Day

Speaking of cyber attacks, JPMorgan Chase is targeted by hackers trying to infiltrate its systems 45 billion times a day (Warning: source may be paywalled; alternative source) -- twice the rate at which it was attacked a year earlier -- the bank's head of asset and wealth management has said. FT: Speaking at Davos on Wednesday, Mary Erdoes said the bank spent $15bn on technology every year and employed 62,000 technologists, with many focused solely on combating the rise in cyber crime. "We have more engineers than Google or Amazon. Why? Because we have to," she said. "The fraudsters get smarter, savvier, quicker, more devious, more mischievous."

Western lenders have suffered a surge in cyber attacks in the past two years, which has been partly blamed on Russian hackers acting in response to sanctions placed on the country and its banks following its full-scale invasion of Ukraine. But the use of artificial intelligence by cyber criminals has also increased the number of incidents and level of sophistication of attacks. UPDATE 1/18/24: In a statement provided to Slashdot, a JPMorgan spokesperson said: "The 45 billion per day figure measures numerous activities, not just hacking attempts. As updated by Bloomberg, 'Examples of activity can include user log ins like employee virtual desktops, and scanning activity, which are often highly automated and not targeted.'" Bloomberg and FT have updated their articles accordingly.

Paywalled article? Really?

[Anonymous Coward]

What a waste of resources linking a paywalled article. Epic fail.

Re:

[Zocalo]

Also an epic fail is claiming a ping, scan of a specific TCP/UDP port, or whatever, is a "cyber attack", which is the only way you're going to get to 45 billion "cyberattacks" in a day, even for a company the size of JP Morgan. If my own logs are anything to go by, most[*] of these will actually be security/vulnerability scanners like Shodan, ShadowServer, and the like anyway. Some of those are *incredibly* persistant as well; often several probes a day per IP:port.

When you connect to the Internet, the

Re:

[mabu]

In fairness, any one of those probes could turn into a significant issue if the right vulnerability is found.

There are some systems out there thought that can nip this stuff in the bud, especially if they're using whitelisting and blacklisting of IP space. One system I've found useful is free set of scripts called "login-shield." It's on github.

Re:Paywalled article? Really?

[Zocalo]

Absolutely. That's the problem I have with all these "security scanners"; they make it almost impossible to see the initial essentially harmless recon before the real attack comes, thereby making firewall logs almost useless as a tool for detecting genuine attacks, and for what? What does it matter whether there are 100 or 100,000,000 servers susceptible to a given zero-day exploit or whatever they're scanning for; it's a useless data point that CxOs that should know better are apparently willing a lot of money for if it's presented in a nice glossy report. Those servers will either be patched before they're exploited or they won't, and if they're not, then they'll be used to steal data, launch attacks/spam, or mine crypto. Big whoop! That doesn't help you secure your own networks, it doesn't tell you whether you are vulnerable or not, and $deity help you if you're relying on a third party to tell you if you're vulnerable, let alone need to do anything about it. Security, of any kind, is NOT a field where you can afford to be reactive except when you absolutely have to be, e.g. for zero day exploits, and you should already have mitigations in place for that scenario anyway.

You know what does give you a heads up though? A honeypot. I've been deploying one of these on a dedicated port on almost every firewall I've deployed for many years now. Set one up as an apparent soft target, on a Raspberry Pi or any other dedicated bit of hardware you can quickly isolate if needed, and it'll absolutely tell you when the real attacks inevitably happen. A little shell scripting, and you can pump those IPs or subnets straight into an IPset or whatever on your firewalls and other security appliances within seconds of the first serious probes and hopefully cut them off before anything that actually matters gets hit. If, as you suggest, you can supplement that IPset with some judicious broadbrush white/blacklisting as well, then so much the better.

Re:

[F.Ultra]

Well if you get 45Bn pings or scans per day then that in itself is an attack considering how large traffic that would be. Probably DOS-attacks out there with less traffic.

JPMorgan: Now Offering Frequent Hacker Miles

[Press2ToContinue]

At this rate, they'll soon need to issue loyalty cards for returning cybercriminals – earn points with each attack, redeem for exclusive malware! It's like a high-stakes game of Whac-A-Mole, except the moles are Russian hackers and the prize is all your personal data. Guess this is what happens when you tell the IT department to 'keep busy'.

Yes. So?

[gweihir]

I have about 4M a day. If you count scans, ssh-login attempts, etc. and that is on one (!) IPv4 address. This number is completely meaningless and any conclusions derived from it are too.

Re:

[CEC-P]

Yeah, we got 70,000 a day per firewall. They aint special.

Re:Yes. So?

[jobslave]

Yes that number is meaningless without context. Are they really counting a run of the mill scan we all see as an attempt? We don't know. But they apparently feel they need 62,000 IT folks to help keep their infrastructure secure. Their IT staff alone is larger than most companies. I'm more curious about their processes though, ensuring roles are separated with proper security controls in place. 62,000 employees really increases the chance of a bad actor sitting right there with all the sheep, so what are they doing to ensure they don't have a wolf hiding among them that can't do something bad?

Re:

[jacks smirking reven]

It does seem like a lot of people but JPM manages around $2.6T of assets so it's one IT person for every $42M

I am also curious about how you wrangle that many IT people, I imagine the actual security and architecture teams are nowhere near that size and it's a lot of help desk and internal support staff but still.

Re:

[burtosis]

so what are they doing to ensure they don't have a wolf hiding among them that can't do something bad?

Ahh yes, the wolf of Wall Street.

Re:

[gweihir]

62,000 employees really increases the chance of a bad actor sitting right there with all the sheep, so what are they doing to ensure they don't have a wolf hiding among them that can't do something bad?

Indeed. Sounds like wayyy too many IT people.

Re: Yes. So?

[kenh]

But they apparently feel they need 62,000 IT folks to help keep their infrastructure secure.

No, that's their entire IT organization - they are a bank & investment house, their business is IT, that takes a lot of people...

Their IT staff alone is larger than most companies.

Then again, their IT department is their product, they don't have a manufacturing department, for example.

Re:

[BranMan]

Um... no, I don't think so.

"employed 62,000 technologists, with many focused solely on combating the rise in cyber crime."

And "many" probably meaning like... 8.

Re:

[thegarbz]

The number is only meaningless if viewed in isolation. The key part of this story is that the number is twice as large as last year. Assuming they haven't changed methodology it does give us some useful information.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gweihir]

Twice the number of meaningless scans and dumb login attempts really mean nothing security-wise.

Re:

[thegarbz]

Oh by the way, how bad is your basic security that you get 4million attempts a day? You could do the very basics to protect yourself such as blocklisting ssh attempts from Chinese IPs, implementing fail2ban, a basic firewall dropping scan requests which almost universally causes scans to abort. It sounds like you're not taking anything seriously.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gweihir]

Indeed. And they are welcome to attempt. I really do not care as they have zero chance to get in and I have ample bandwidth and the ssh demon is not under any kind of load that would matter. I do like to occasionally look at the logs though to see what demented user/pwd combos seem to work on other people.

Re:

[gweihir]

Not bad at all. And these include scans, as I very clearly said. As I have good SSH passwords and ample log-space there really is no need to complicated anything and thereby make things _less_ secure. Incidentally, these logs _are_ from my firewall.

So no, my security is pretty good. May have something to do with me being an actual security expert. But you cannot let a chance to cluelessly mouth off go to waste, can you?

Re:

[F.Ultra]

Why do you use passwords for SSH and not keys? Or did you just write it wrong?

ridiculous metric

[Kristoph]

I assume they are simply counting the number of network requests that look (vaguely) malicious. But even then surely it’s not 45 billion exploit attempts ( there isn’t like 4.5 million different vectors, never mind 45 billion ) so they’re probably just counting random bot farms making requests to make it sound more impressive.

We need a different unit of measure

[Åke Malmgren]

I suggest Hz. This is an attack frequency of almost 521 kHz.

Re: attack frequency of almost 521 kHz.

[Tablizer]

I collected the attack logs and converted them to sound. It plays the YMCA song. Join in!

"It's fun to hack the Y, M, C, A...

They're called IP packets

[Arnonyrnous Covvard]

Don't be a drama queen and perhaps install a firewall that is less alarmist.

Payload count?

[devslash0]

45 billion is a very big number. To say that they suffer 45 billion cyber attacks a day would mean that every one of 8 billion human beings on Earth would need to attack JPMorgan nearly 6 times a day. What they most likely refer to is the total count of ATTEMPTs being requests to their software with malicious payloads, and anyone who works in offensive security would know that in this context 45 billion requests a day is really not that much.

Re:

[leonbev]

They're probably counting every port scan that they get on every public IP address that they own as an "attack".

Anybody who actually understands cybersecurity knows that this is BS, but I'd imagine that their shareholders are impressed by the big numbers.

Who is sending all that crap?

[Tablizer]

Being every org gets tons of dubious traffic, is there any public study on where the questionable packets are coming from? I suspect from compromised zombied PC's. With more study, they can maybe figure out what the zombied PC's are talking to, or are those also zombie nodes? How many layers of indirection does a typical hack-farm use? Is it notably higher for top-end state-sponsored farms?

FIDO2

[wkk2]

Banks should at least support USB keys like FIDO2.

Say no to drugs

[sizzlinkitty]

Read the article here - https://archive.is/TOiEP [archive.is]

Mary Erdoes is no different than the rest of middle management and C level execs at most major fortune 50 or higher companies. These numbers are the "lets justify a budget and my paycheck" numbers presented to the board and shareholders. I wish I was as dumb as these people are, maybe I would be making more money than I am today. I wonder how many security jobs were just terminated when Citigroup wasted 20k employees?

Oh competence

[deijmaster]

or lack there of. What executives say ðY(TM)

Uh oh...I hope they don't call the feds on me

[killmenow]

I just sent two pings to www.chase.com...that's 2 cyber attacks right there!

It's a new boat...

[Flownez]

It would appear the CIO's incentive bonus factors "Cyber Attacks per Day" in some way