Screenshot via Akamai's real-time web monitor.
For at least the past hour, hackers have been hammering the back end of American Express's website with a DDoS attack, and insiders say it's potentially part of the largest attack ever, which made headlines on Wednesday.
According to an American Express employee, who asked to remain anonymous due to the sensitivity of the matter, users haven't been able to log into their accounts since 3:55 pm on Thursday afternoon, a fact that's been confirmed by a flurry of tweets, and that his team believes the attacks may be related to yesterday's global attacks. American Express has since confirmed the attack in a phone call.
The attack is affecting American Express's websites in the United States and abroad. "They are hammering the backend systems that handle bill pay, statements, [and] account summary," said the AmEx employee, who added that some of the company's online ad and content platforms were down too. (Update: Tablet and mobile apps also went down.) No user data was compromised, the employee said.
Not long after after reports of trouble started bubbling up, an American Express spokesperson confirmed that they were being hit by a DDoS attack in an interview. "We have been prepared for this," said the spokesperson. "We have a plan in place, and we are working as quickly as possible to get our site back up and running." She added, "And obviously, we apologize for the inconvenience to our customers."
American Express apparently uses AT&T hosting, some of whose servers are located in Cypress, California. A look at Akamai's real-time Internet attack tracker shows that the entire region has been experiencing higher-than-usual attacks, but the Cypress area in particular is receiving higher traffic than usual, which would be consistent with a targeted DDoS.
The crippling attack comes just 24 hours after reports of a massive global DDoS attack — the biggest in history — that stemmed from a feud between a spam watchdog and a web-hosting. Cyber security experts compared it to a nuclear bomb being dropped on the Internet.
The fear at that point in time was that it would spread to banks and actually have an economic impact. The attack continued on Thursday hitting the online payments startup Dwolla in the morning before spreading to American Express. The American Express tech team suspects that their attack is part of that larger nuclear assault.
This is a developing story, and we've got a few calls out to various security firms to try to confirm whether today's attacks are related to yesterdays. Spamhaus, who was a key player in yesterday's DDoS dustup, said in an email that it wasn't tracking this particular attack. I'll update as I learn more.
Additional reporting by Derek Mead.