Hackers seized every one of a Brazilian bank’s 36 domains and leveraged their unauthorized access to push malware onto unsuspecting users.
Kaspersky Lab first learned of the attack in October 2016. Researchers Fabio Assolini and Dmitry Bestuzhev at first thought it was just site hijacking. But they soon discovered that the bad actors had seized control of the site’s index file. Into that file they had injected a iframe that redirected visitors to a website where malware in the form of a zipped Java plugin awaited.
Assolini and Bestuzhev admitted at the Kaspersky Security Analyst Summit that these behaviors piqued their curiosity. As quoted by Threatpost:
“Every single visitor got a plugin with the JAR file inside. We were wondering, had the bad guys pwned the whole bank? How is this possible?”
A deeper dive revealed that the bank’s homepage had begun displaying a valid SSL certificate issued by Let’s Encrypt a day before the attack occurred. All the other pieces then began to come together. As it turns out, attackers had planned the hack five months in advance when the certificate was registered. They then presumably leveraged spear-phishing emails using the name of the Certificate Authority (CA) to seize all 36 of the bank’s domains. From there, they deployed their payload: malware that came equipped with the ability to remove security products and phish for visitors’ payment card information.
Bestuzhev took great care to warn against the threat of attackers compromising a target’s domains and DNS settings:
“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad. If DNS was under control of the criminals, you’re screwed.”
To protect themselves against attacks such as the one discovered by Assolini and Bestuzhev, organizations should secure their DNS infrastructure with two-factor authentication. Many registrars offer this option, but few companies ultimately enable it. They should also educate their employees about phishing attacks.
This plot isn’t the only bank-centered attack that emerged from this year’s Kaspersky Security Analyst Summit. Researchers at the Russian security firm also disclosed another attack in which bad actors physically drilled into a bank’s ATM to steal the monies contained therein.