How Hackers Hijacked a Bank’s Entire Online Operation

Extraordinary Incident of Wholesale Bank Fraud Done by Hackers

Hacking a bank is not different from the out-dated means of raiding it and hackers can get in and out with the goods quite easily. However a particular enterprising team of hackers aiming a Brazilian bank seemed to take a much more inclusive and a scheming method of operation.

On a certain weekend afternoon, they had rerouted all the online customers of the bank to effortlessly reconstructed fakes of the bank’s properties wherein the marks offered over their information of the accounts. The researchers at Kapersky the security firm had defined an extraordinary incident of wholesale bank fraud, which had basically hijacked the complete internet footprint of the bank.

 Last year, on October 22 at 1 pm, the researchers had stated that the hackers had altered the Domain Name System registration of all 36 online properties of the bank, taking the desktop and mobile website domains of the bank to take users to phishing site. That meant that the hackers had the potential of stealing login credentials at the sites which had been hosted at the legitimate web addresses of the bank.

The researchers of Kaspersky were of the belief that the hackers could have also simultaneously redirected most of the transactions at ATMs or point-of-sale systems to their own servers, gathering the details of the credit card of anyone who utilised their card on that Saturday afternoon.

Malware Infecting Customers

One of the researchers of Kaspersky, Dmitry Bestuzhey, who had analysed that attack in real time on seeing malware infecting customers from what seemed to be the fully valid domain of the bank, had stated that absolutely all of the bank’s online operations had been under the control of the attackers for five to six hours.

From the point of view from the hackers, according to Bestuzhey, the DNS attack meant that `you become the bank and everything belongs to you now’. Kaspersky has not revealed the name of the bank which had been targeted in the DNS redirect attack. He has stated that it seems to be a major Brazilian financial company with hundreds of branches, operations in the US and the Cayman Islands, with 5 million customers and over $27 billion in assets.

Though Kaspersky is not aware of the full extent of the damage caused due to the takeover, it should be a warning to banks all over to consider how the insecurity of their DNS would support a nightmarish loss of control of their core digital assets. Bestuzhev had commented that they have never seen it exploited in the wild on such a big scale.

DNS – Vital Decorum Under Cover of Internet

The Domain Name System – DNS tends to serve as a vital decorum running under the cover of the internet and translates domain names in alphanumeric characters such as Google.com, to the IP addresses such as 74.125.236.195, which tends to represent the definite locations of the computers hosting websites or other services related on those machines.

 However attacking the records could take the sites down or redirect them to a destination of a hackers’ choice. For instance, in 2013, the Syrian electronic Army groups of hacker had changed the DNS registration of The New York Times in redirecting visitors to a page with their logo. Recently, the Mirai Botnet attack on the DNS provider Dyn had cracked a main portion of the web offline inclusive of Amazon, Reddit and Twitter.

However the attackers of Brazilian bank had subjugated their victim’s DNS in a much more directed and profit-driven manner. Kaspersky was of the belief that the hackers compromised the account of the bank at Registro.br which is the domain registration service of NIC.br, the registrar for the sites ending in the Brazilian .br top-level domain which is said that it also manages the DNS for the bank.

Changing Registrar – Domains of Bank

The researchers are of the opinion that with that access, the hackers had been capable of changing the registrar at the same time for all the domains of the bank, redirecting them to servers which the attackers had set up on the Cloud Platform of Google.

With the hijacking of the domain, those visiting the website URL of the bank were redirected to the duplicate sites where those sites also had valid HTTPS certificates issued in the name of the bank. Hence those visitors’ browsers portrayed a green lock together with the name of the bank like they would in the real sites. Kaspersky also observed that the certificates was provided six months earlier by Let’s Encrypt, the non-profit certificate authority which makes obtaining an HTTPS certificate easy in case of increasing HTTPS acceptance.

 Josh Aas, founder of Let’s Encrypt had stated that `if an entity had gained control of DNS and had gained effective control over a domain, there could be a possibility for that entity to get a certificate from them. Such issuance would not constitute mis-issuance on their part since the entity receiving the certificate would have been able to properly demonstrate control over the domain’.

Hoaxed Sites Infected with Malware

Eventually the hijack had been so thorough that the bank was unable to even send email. Bestuzhev stated that they could not even communicate with the customers to send them an alert and if your DNS is in control of the cybercriminals, you are basically screwed’. Besides phishing, the hoaxed sites also infected victims with malware download which had disguised itself as an update to the Trusteer browser security plug-in which the Brazilian bank provided the customers.

As per the analysis of Kaspersky the malware gathers not only banking logins from the Brazilian banks but also eight others as well as email and FTP credentials together with contact lists from Outlook and Exchange. All of these had gone to command-and-control server hosted in Canada. The Trojan also comprised of an operation intended to disable antivirus software for infected victim, and could have persisted much beyond the five hour window when the attack had taken place.

The malware had scraps of Portuguese language, implying that the attackers could have been Brazilian. Bestuzhev of Kaspersky debates that for the banks the incident could have been a clear warning to check on the security of their DNS. He notes that half of the top 20 banks ranked by total assets do not manage their DNS but tend to leave it in the hands of a potentially hackable third party and irrespective of who tends to control the DNS of a bank they can take special precautions in preventing their DNS registrations from being changed without safety checks such as `registry lock’, which some registrars tend to provide together with two-factor authentication making it difficult for hackers to change them.