21 August 2017
Find out more

How hackers took complete control of a legit Brazilian bank

05 April 2017  |  12352 views  |  1 programming code hipster

A Brazilian bank had its entire IT operations taken over by hackers in a 'stunning compromise' that saw each of its 36 domains, corporate email and DNS under the attacker’s control.

The three-month long heist was uncovered last October when it became apparent the bank’s Website was serving malware to each of its visitors. The malware was a Java file tucked inside a .zip archive loaded into the index file.

Detailing the online assault at the Security Analyst Summit, Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev said that the attackers had extended their operations to nine other institutions worldwide.

The unidentified bank claims five million customers in Brazil, the US, Argentina and Grand Cayman and manages $25 billion in assets from a network of 500 branches.

“Every single visitor got a plugin with the JAR file inside,” Bestuzhev says, adding that the attackers had control of the site’s index file. Within the index, an iframe was loaded and it was redirecting visitors to a website from where the malware was being dropped.

The hackers had seized control of the bank's DNS hosting service, transferring all 36 of the bank's domains to phony websites that used free HTTPS certs from Let's Encrypt.

“All domains, including corporate domains, were in control of the bad guy,” Assolini says, adding that the attackers also were inside the corporate email infrastructure and shut it down, preventing the bank from informing customers of the attack or contacting their registrar and DNS provider.

Pulling the malware apart, the researchers found eight modules, including configuration files with bank URLs, update modules, credential-stealing modules for Microsoft Exchange, Thunderbird, and the local address book, and internet banking control and decryption modules. All of the modules, the researchers said, were talking to a command and control server in Canada.

One of the modules, called Avenger, is a legitimate penetration testing tool used to remove rootkits. But in this case, it had been modified to remove security products running on compromised computers. It was through Avenger that the researchers determined that nine other banks around the world were similarly attacked and owned.

“The bad guys wanted to use that opportunity to hijack operations of the original bank but also drop malware with the capacity to steal money from banks of other countries,” Bestuzhev says.

The researchers also reported finding phishing pages loaded onto bank domains trying to induce victims to enter payment card information.

This plot was hatched at least five months in advance when the Let’s Encrypt certificate was registered. Spear-phishing emails were also discovered targeting local companies using the name of the Brazilian registrar.

Bestuzhev and Assolini believe this could be the avenue the attackers used to run the bank’s DNS settings.

“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad,” Bestuzhev says. “If DNS was under control of the criminals, you’re screwed.”

The researchers stressed the importance of securing the DNS infrastructure and the need to take advantage of features such as two-factor authentication, which most registrars offer, but few customers use.

“That’s exactly what happened with this bank,” Assolini says.

Comments: (1)

Chris Yaldezian
Chris Yaldezian - IBM (Software Group) - San Ramon | 05 April, 2017, 19:01

WOW! Thanks for the story.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Kaspersky Labs links North Korea to Bangladesh Bank heist

Kaspersky Labs links North Korea to Bangladesh Bank heist

04 April 2017  |  6305 views  |  0 comments | 2 tweets | 5 linkedin
Russian hacker pleads guilty over $500m Citadel malware

Russian hacker pleads guilty over $500m Citadel malware

23 March 2017  |  7827 views  |  0 comments | 2 tweets | 8 linkedin
Polish bank malware targets IP addresses in 31 countries - Symantec

Polish bank malware targets IP addresses in 31 countries - Symantec

13 February 2017  |  8543 views  |  0 comments | 14 tweets | 10 linkedin
Turkey's Akbank facing $4m liability after hack

Turkey's Akbank facing $4m liability after hack

16 December 2016  |  13777 views  |  0 comments
JP Morgan hack suspect returns to US to face justice

JP Morgan hack suspect returns to US to face justice

15 December 2016  |  7167 views  |  0 comments | 2 tweets | 3 linkedin
Russian central bank hit by $31m hacks

Russian central bank hit by $31m hacks

05 December 2016  |  6230 views  |  0 comments | 4 tweets | 13 linkedin

Related blogs

Create a blog about this story (membership required)
visit www.niceactimize.comvisit www.dorsum.euvisit www.worldpaymentsreport.com

Top topics

Most viewed Most shared
Mobile contactless spending accelerating in UKMobile contactless spending accelerating i...
10785 views comments | 24 tweets | 23 linkedin
hands typing furiouslyWhy Is Risk Analytics Important?
9013 views 0 | 5 tweets | 1 linkedin
Norwegian banks and startups form fintech clusterNorwegian banks and startups form fintech...
8925 views comments | 19 tweets | 23 linkedin
Barclays pairs banking data with third party apps for SmartBusiness DashboardBarclays pairs banking data with third par...
8729 views comments | 21 tweets | 24 linkedin
RBS to bring Silicon Valley to EdinburghRBS to bring Silicon Valley to Edinburgh
8652 views comments | 10 tweets | 7 linkedin

Featured job

Find your next job