Wired.com reports of an enterprising group of hackers targeting a Brazilian bank who managed to reroute all of the bank’s online customers to perfectly reconstructed clones of the bank’s properties, where the marks obediently handed over their account information.
Researchers at the security firm Kaspersky on Tuesday described an unprecedented case of wholesale bank fraud, one that essentially hijacked a bank’s entire internet footprint. At 1 pm on October 22 of last year, the researchers say, hackers changed the Domain Name System registrations of all 36 of the bank’s online properties, commandeering the bank’s desktop and mobile website domains to take users to phishing sites. In practice, that meant the hackers could steal login credentials at sites hosted at the bank’s legitimate web addresses. Kaspersky researchers believe the hackers may have even simultaneously redirected all transactions at ATMs or point-of-sale systems to their own servers, collecting the credit card details of anyone who used their card that Saturday afternoon.
“Absolutely all of the bank’s online operations were under the attackers’ control for five to six hours,” says Dmitry Bestuzhev, one of the Kaspersky researchers who analyzed the attack in real time after seeing malware infecting customers from what appeared to be the bank’s fully valid domain. From the hackers’ point of view, as Bestuzhev puts it, the DNS attack meant that “you become the bank. Everything belongs to you now.”
Kaspersky believes the attackers compromised the bank’s account at Registro.br. That’s the domain registration service of NIC.br, the registrar for sites ending in the Brazilian .br top-level domain, which they say also managed the DNS for the bank. With that access, the researchers believe, the attackers were able to change the registration simultaneously for all of the bank’s domains, redirecting them to servers the attackers had set up on Google’s Cloud Platform.2
With that domain hijacking in place, anyone visiting the bank’s website URLs were redirected to lookalike sites. And those sites even had valid HTTPS certificates issued in the name of the bank, so that visitors’ browsers would show a green lock and the bank’s name, just as they would with the real sites. Kaspersky found that the certificates had been issued six months earlier by Let’s Encrypt, the non-profit certificate authority that’s made obtaining an HTTPS certificate easier in the hopes of increasing HTTPS adoption.
“If an entity gained control of DNS, and thus gained effective control over a domain, it may be possible for that entity to get a certificate from us,” says Let’s Encrypt founder Josh Aas. “Such issuance would not constitute mis-issuance on our part, because the entity receiving the certificate would have been able to properly demonstrate control over the domain.”
Get the whole story here