ST. MAARTEN–On a quiet Saturday afternoon in October 2016, security researchers in Latin America began noticing some odd behavior in the Brazilian banking system. Customers visiting the website of one of the country’s larger banks were being hit with automatic malware downloads, but as the researchers began investigating the incident, it quickly became clear that the attack was far deeper and broader than a simple site hijacking.
The first indications of the compromise emerged when users noticed the bank’s site trying to install a browser plugin from the home page. The plugin was in a ZIP file that included a Java archive and it appeared to be a legitimate plugin that the bank’s site actually used. But the attackers had been able to replace it with a rigged version that installed malware on visitors’ machines. As researchers from Kaspersky Lab looked at the installation process, they discovered that the home page now included a hidden iframe that was triggering the install. The attackers had somehow been able to compromise the main index file of the bank’s site, and worse, had hijacked all 36 of the bank’s domains.
“The mobile banking, online banking, corporate email, the financing and acquisitions, it was all in control of the bad guys,” Dmitry Besthuzhev, a security researcher at Kaspersky, said during a talk on the bank attack at the company’s Security Analyst Summit here Tuesday.
The bank’s site had a valid SSL certificate, but the researchers found that it was only installed the day before the attack and it had been issued by Let’s Encrypt, a certificate authority that provides free certificates. Cybercriminals have begun to take advantage of that setup to obtain certificates for phishing and other attacks.
The bank that the attackers targeted has more than 500 branches in several countries, more than five million customers, and about $25 billion in assets. And they had complete control of the bank’s online infrastructure. Besthuzhev and his colleague Fabio Assolini began analyzing the malware installed from the bank’s site and found that it had a number of separate modules, including one that disables security products, and the malware was sending all of the data it gathered to a command-and-control server in Canada.
“If the DNS is under control of the bad guys, you are basically screwed up.”
The researchers also found that the attackers were targeting customers of several other banks around the world. In the case of the Brazilian bank, the attackers not only had added the malware injection to the home page, they also added a page to the site that asked visitors to enter the credit card numbers, CVVs, and personal information, allowing the attackers to clone those cards. The criminals also had access to the servers that processed payments from customers’ cards made at point-of-sale devices.
But the most crippling part of the attack was the hijack of the bank’s DNS infrastructure. This allowed the attackers to redirect the domains to infrastructure they controlled, hosted on Google Cloud.
“If the DNS is under control of the bad guys, you are basically screwed up,” Besthuzhev said.
How exactly the attackers gained access to the DNS records isn’t clear, but once they were in, they were able to change all of the DNS entries and point the customers’ traffic to their own servers. Besthuzhev and Assolini said this may have been done at the registrar level, but they also discovered that the attackers had sent spear-phishing emails to bank employees as part of the operation. If one of those emails hit an employee with access to the bank’s account at the registrar, that could have provided access, too.
“If one of them had access to the DNS records, it would be very, very bad. We think both happened in this case,” Besthuzhev said.
After digging into the bank attack, Besthuzhev and Assolini discovered that many of the larger banks in the world don’t run their own DNS infrastructure, making them more vulnerable to this kind of compromise. Some banks operate shared infrastructure with other financial institutions, so if an attacker hit one, the others would be vulnerable, as well. The researchers said more registrars should offer two-factor authentication for their customers and encourage them to use it.