The distributed denial-of-service attack that crashed Ellie Mae's loan origination system was cleverly disguised and could have been carried out by individuals with mortgage industry expertise, the vendor says.
The March 31-April 1 attack overwhelmed the company's servers with data requests that had the look and feel of legitimate communications. Specifically, the attack flooded the servers with requests to a URL that is used to download an XML file containing a list of third-party technology vendors that integrate with the Encompass LOS via the Ellie Mae Network.
"It was a massive number of requests that came in and consumed the full capacity of one set of our servers around a specific URL," Ellie Mae President and Chief Operating Officer Jonathan Corr says in his first interview since the attack was disclosed. "Where a classic denial-of-service attack would be a request that comes in that is not valid and would just create a lot of failed attempts, this was a valid request with a normal signature."
The investigation into the incident is ongoing, but the manner in which the attack was carried out may indicate that it was carried out by people familiar with the mortgage industry.
"I find it very coincidental that this was using a valid request and a normal signature, which if you look at just a random attack, that's not typically the case," Corr says. "And it occurred on the last day of the month and the quarter, starting first thing in the morning" — a critical time for loan closings.
"That could be coincidence, I don’t have evidence otherwise, but we find it very disturbing and we're trying to figure it out. It seems like that could be a possibility," he adds.
The XML file contains no sensitive data and is accessible through a so-called open request, which doesn't require the type of authentication needed to access actual loan files in the system. The attack resembled data requests that would come from the smart client application used to access Encompass and the Ellie Mae Network. This similarity initially made the communications difficult to identify as a threat.
"Because of the way it came in, it looked just like a request that we would expect and it wasn't something that someone out there randomly could do," Corr says. "Somebody obviously understood a basic public request that would come from an Encompass system."
Ellie Mae has hired Stroz Friedberg, a cyber-security and digital forensics investigation firm, to piece together evidence and trace the attack, evaluate Ellie Mae's response to the incident, as well as validate that the vendor did not suffer a data or security breach.
"We're asking them to validate that so we can provide a third-party perspective to our customers so that they can turn around and let their regulators know," Corr says.
Ellie Mae, based in Pleasanton, Calif., has put protocols in place to defend against an attack of this nature, and Corr says the company will make additional investments "to further harden the walls" of its infrastructure.
"We're really focused on how to get even better at dealing with anybody that might try to affect the livelihood of our customers," he says.