How hackers hijacked a bank

Brazilian bank hacking

Detailed analysis is now emerging of a new cyber security vulnerability that enabled the takeover of an anonymous Brazilian bank last October. It involves the “hacking” of the Domain Name System (DNS). In a detailed report. Information Security specialists, Kaspersky, described how cyber thieves “changed the DNS registrations of all 36 of the bank’s online properties, commandeering the bank’s desktop and mobile website domains to take users to phishing sites.”

The most devious part of hijacking the bank’s DNS is that the switch to the imposter URLs was undetectable by users. As the article describes, “those sites even had valid HTTPS certificates issued in the name of the bank, so that visitors’ browsers would show a green lock and the bank’s name, just as they would with the real sites.”

The hijack lasted for at least five hours, allowing the cyber criminals to steal not just banking logins, but also install a Trojan horse that gathered email and FTP credentials as well as contact lists from Outlook and Exchange. Kaspersky said it was hard to even quantify the extent of the theft. From the article:

“But the firm says it’s possible that the attackers could have harvested hundreds of thousands or millions of customers’ account details not only from their phishing scheme and malware but also from redirecting ATM and point-of-sale transactions to infrastructure they controlled. We really don’t know what was the biggest harm: malware, phishing, point-of-sale, or ATMs,’ Bestuzhev says.”

Perhaps the most disturbing part for banks is that the thieves came in through trusted third-party vendors — those who ran the DNS system. And, according to the article, the unnamed bank is far from alone in this vulnerability, since half of the top 20 banks ranked by total assets don’t manage their own DNS.

The security of third-party vendors is a major risk throughout the financial sector, many regulators have issued guidance on the subject.

Experts recommend that special precautions to prevent  DNS registrations from being changed without safety checks, such as a ‘registry lock’ some registrars provide and two-factor authentication that makes it far harder for hackers to alter them.”