20 February 2018
visit www.nextgenbanking.co.uk/

How hackers took complete control of a legit Brazilian bank

05 April 2017  |  13131 views  |  1 programming code hipster

A Brazilian bank had its entire IT operations taken over by hackers in a 'stunning compromise' that saw each of its 36 domains, corporate email and DNS under the attacker’s control.

The three-month long heist was uncovered last October when it became apparent the bank’s Website was serving malware to each of its visitors. The malware was a Java file tucked inside a .zip archive loaded into the index file.

Detailing the online assault at the Security Analyst Summit, Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev said that the attackers had extended their operations to nine other institutions worldwide.

The unidentified bank claims five million customers in Brazil, the US, Argentina and Grand Cayman and manages $25 billion in assets from a network of 500 branches.

“Every single visitor got a plugin with the JAR file inside,” Bestuzhev says, adding that the attackers had control of the site’s index file. Within the index, an iframe was loaded and it was redirecting visitors to a website from where the malware was being dropped.

The hackers had seized control of the bank's DNS hosting service, transferring all 36 of the bank's domains to phony websites that used free HTTPS certs from Let's Encrypt.

“All domains, including corporate domains, were in control of the bad guy,” Assolini says, adding that the attackers also were inside the corporate email infrastructure and shut it down, preventing the bank from informing customers of the attack or contacting their registrar and DNS provider.

Pulling the malware apart, the researchers found eight modules, including configuration files with bank URLs, update modules, credential-stealing modules for Microsoft Exchange, Thunderbird, and the local address book, and internet banking control and decryption modules. All of the modules, the researchers said, were talking to a command and control server in Canada.

One of the modules, called Avenger, is a legitimate penetration testing tool used to remove rootkits. But in this case, it had been modified to remove security products running on compromised computers. It was through Avenger that the researchers determined that nine other banks around the world were similarly attacked and owned.

“The bad guys wanted to use that opportunity to hijack operations of the original bank but also drop malware with the capacity to steal money from banks of other countries,” Bestuzhev says.

The researchers also reported finding phishing pages loaded onto bank domains trying to induce victims to enter payment card information.

This plot was hatched at least five months in advance when the Let’s Encrypt certificate was registered. Spear-phishing emails were also discovered targeting local companies using the name of the Brazilian registrar.

Bestuzhev and Assolini believe this could be the avenue the attackers used to run the bank’s DNS settings.

“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad,” Bestuzhev says. “If DNS was under control of the criminals, you’re screwed.”

The researchers stressed the importance of securing the DNS infrastructure and the need to take advantage of features such as two-factor authentication, which most registrars offer, but few customers use.

“That’s exactly what happened with this bank,” Assolini says.

Comments: (1)

Chris Yaldezian
Chris Yaldezian - IBM (Software Group) - San Ramon | 05 April, 2017, 19:01

WOW! Thanks for the story.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Kaspersky Labs links North Korea to Bangladesh Bank heist

Kaspersky Labs links North Korea to Bangladesh Bank heist

04 April 2017  |  6991 views  |  0 comments | 2 tweets | 5 linkedin
Russian hacker pleads guilty over $500m Citadel malware

Russian hacker pleads guilty over $500m Citadel malware

23 March 2017  |  8184 views  |  0 comments | 2 tweets | 8 linkedin
Polish bank malware targets IP addresses in 31 countries - Symantec

Polish bank malware targets IP addresses in 31 countries - Symantec

13 February 2017  |  9174 views  |  0 comments | 14 tweets | 10 linkedin
Turkey's Akbank facing $4m liability after hack

Turkey's Akbank facing $4m liability after hack

16 December 2016  |  14287 views  |  0 comments
JP Morgan hack suspect returns to US to face justice

JP Morgan hack suspect returns to US to face justice

15 December 2016  |  7518 views  |  0 comments | 2 tweets | 3 linkedin
Russian central bank hit by $31m hacks

Russian central bank hit by $31m hacks

05 December 2016  |  6598 views  |  0 comments | 4 tweets | 13 linkedin

Related blogs

Create a blog about this story (membership required)
Visit http://info.nice.comVisit https://www.capgemini.comvisit www.ebaday.com

Top topics

Most viewed Most shared
Saudi central bank provides sandbox for banks to try out Ripple techSaudi central bank provides sandbox for ba...
11558 views comments | 16 tweets | 12 linkedin
ABN Amro moves escrow accounts to the blockchainABN Amro moves escrow accounts to the bloc...
9119 views comments | 15 tweets | 13 linkedin
ECB launches staunch defence of cashECB launches staunch defence of cash
8971 views 10 comments | 22 tweets | 26 linkedin
Coinbase and Visa at loggerheads over erroneous charges on customer crypto accountsCoinbase and Visa at loggerheads over erro...
7547 views comments | 13 tweets | 11 linkedin
Starling Bank Marketplace welcomes first wave of fintech partnersStarling Bank Marketplace welcomes first w...
7096 views comments | 10 tweets | 13 linkedin

Featured job

Competitive base + commission (double OTE)
London, UK

Find your next job