Thursday, April 6, 2017

"How Hackers Hijacked a Bank’s Entire Online Operation"

From Wired:
The traditional model of hacking a bank isn’t so different from the old-fashioned method of robbing one. Thieves get in, get the goods, and get out. But one enterprising group of hackers targeting a Brazilian bank seems to have taken a more comprehensive and devious approach: One weekend afternoon, they rerouted all of the bank’s online customers to perfectly reconstructed fakes of the bank’s properties, where the marks obediently handed over their account information.

Researchers at the security firm Kaspersky on Tuesday described an unprecedented case of wholesale bank fraud, one that essentially hijacked a bank’s entire internet footprint. At 1 pm on October 22 of last year, the researchers say, hackers changed the Domain Name System registrations of all 36 of the bank’s online properties, commandeering the bank’s desktop and mobile website domains to take users to phishing sites. In practice, that meant the hackers could steal login credentials at sites hosted at the bank’s legitimate web addresses. Kaspersky researchers believe the hackers may have even simultaneously redirected all transactions at ATMs or point-of-sale systems to their own servers, collecting the credit card details of anyone who used their card that Saturday afternoon.

“Absolutely all of the bank’s online operations were under the attackers’ control for five to six hours,” says Dmitry Bestuzhev, one of the Kaspersky researchers who analyzed the attack in real time after seeing malware infecting customers from what appeared to be the bank’s fully valid domain. From the hackers’ point of view, as Bestuzhev puts it, the DNS attack meant that “you become the bank. Everything belongs to you now.”

DNS Stress
Kaspersky isn’t releasing the name of the bank that was targeted in the DNS redirect attack. But the firm says it’s a major Brazilian financial company with hundreds of branches, operations in the US and the Cayman Islands, 5 million customers, and more than $27 billion in assets. And though Kaspersky says it doesn’t know the full extent of the damage caused by the takeover, it should serve as a warning to banks everywhere to consider how the insecurity of their DNS might enable a nightmarish loss of control of their core digital assets. “This is a known threat to the internet,” Bestuzhev says. “But we’ve never seen it exploited in the wild on such a big scale.”

The Domain Name System, or DNS, serves as a crucial protocol running under the hood of the internet: It translates domain names in alphanumeric characters (like to IP addresses (like that represent the actual locations of the computers hosting websites or other services on those machines. But attacking those records can take down sites or, worse, redirect them to a destination of the hacker’s choosing. 

In 2013, for instance, the Syrian Electronic Army hacker group altered the DNS registration of The New York Times to redirect visitors to a page with their logo. More recently, the Mirai botnet attack on the DNS provider Dyn knocked a major chunk of the web offline, including Amazon, Twitter, and Reddit.

But the Brazilian bank attackers exploited their victim’s DNS in a more focused and profit-driven way....MUCH MORE
HT: Schneier on Security