Of particular concern, experts said, is that the attackers used the Internet to warn the institutions ahead of time but the banks still couldn't repel the assaults.
"The banks put a lot of effort into cyber security. But they're so desirable as a target, even with all that effort they still have problems," said James Lewis, an expert at the Center for Strategic and International Studies in Washington. "If you can pull together enough resources, you can overwhelm any defense temporarily."
The attacks on banks began last week on the largest institutions in the country: JPMorgan Chase, Citigroup and Bank of America. They spread to Wells Fargo on Tuesday and U.S. Bank on Wednesday. Another attack has been threatened against PNC Financial Services on Thursday.
The U.S. government and banks have been working feverishly to learn more about the attackers. A financial executive not authorized to speak publicly described a "war room" where bankers were coordinating efforts with the Department of Homeland Security.
Izz ad-Din al-Qassam is the name of the military wing of Hamas, the political party that governs the Gaza Strip. Experts say the attacks appear to have originated from the Middle East, thought it isn't clear who is behind them or the motivation.
But on Tuesday the group posted a manifesto on the Internet saying attacks would continue until a video insulting the Islamic prophet Muhammad was removed from the Internet. That video, "Innocence of Muslims," has caused violent clashes in the Middle East, and led to the attack of the U.S. embassy in Libya.
Dmitri Alperovitch, a computer security expert investigating the recent attacks, said they are the latest in a series of cyber assaults by the group. The attacks were not only on financial firms, he said, although he declined to identify other industries. Alperovitch said Izz ad-Din al-Qassam has demonstrated "advanced capabilities."
He said it was unlikely that the anti-Islamic video alone had triggered the attacks. He said his firm, CrowdStrike Inc., has linked the group to attacks on other targets since January, long before the trailer for the anti-Islamic film was posted on YouTube.
Wells Fargo, based in San Francisco, had intermittent service interruptions all day Tuesday, distressing many of its 21 million online customers.
Similar problems occurred Wednesday at U.S. Bank. The Minneapolis-based bank said it was experiencing unusually high Web traffic and that the coordinated attacks were "very similar" to those at other major banks. "We are working very closely with federal law enforcement," spokesman Tom Joyce said.
Pittsburgh-based PNC, facing the threatened attack on Thursday, was preparing for the worst. "We've seen the posting" on the Internet, PNC spokesman Fred Solomon said. "We're taking appropriate measures."
Security consultant Alperovitch said the volume of phony demands on bank sites was two to three times heavier than previous records for denial of service attacks, and 10 to 20 times higher than the average such attack. Still, the onslaught so far has had a "very limited impact," resulting in only brief shutdowns of websites.
"The attacks, while very, very large and historic in that sense, are not super sophisticated," he said. Although evidence points to a group "certainly of Middle Eastern origin," his company could not tell whether a state or private group was behind the attacks.
Some speculation centered on whether Iran might be retaliating for economic sanctions placed on the country because of its nuclear program and enforced by U.S. banks.
"I don't believe these were just hackers," Senate Homeland Security Committee Chairman Joe Lieberman, I-Conn., said last week in an interview on C-SPAN's "Newsmakers" program. "I think this was done by Iran and the Quds Force," a secretive Iran military unit blamed for terrorist activity.
Lieberman was observing Yom Kippur and could not be reached Wednesday. The FBI and Justice Department declined to comment on the origin of the attacks.
Two bankers, who spoke on condition of anonymity, said their banks were also on the alert for cyber thieves who might use the attacks as a diversion.