17 July 2018
Visit www.gemalto.com

How hackers took complete control of a legit Brazilian bank

05 April 2017  |  13521 views  |  1 programming code hipster

A Brazilian bank had its entire IT operations taken over by hackers in a 'stunning compromise' that saw each of its 36 domains, corporate email and DNS under the attacker’s control.

The three-month long heist was uncovered last October when it became apparent the bank’s Website was serving malware to each of its visitors. The malware was a Java file tucked inside a .zip archive loaded into the index file.

Detailing the online assault at the Security Analyst Summit, Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev said that the attackers had extended their operations to nine other institutions worldwide.

The unidentified bank claims five million customers in Brazil, the US, Argentina and Grand Cayman and manages $25 billion in assets from a network of 500 branches.

“Every single visitor got a plugin with the JAR file inside,” Bestuzhev says, adding that the attackers had control of the site’s index file. Within the index, an iframe was loaded and it was redirecting visitors to a website from where the malware was being dropped.

The hackers had seized control of the bank's DNS hosting service, transferring all 36 of the bank's domains to phony websites that used free HTTPS certs from Let's Encrypt.

“All domains, including corporate domains, were in control of the bad guy,” Assolini says, adding that the attackers also were inside the corporate email infrastructure and shut it down, preventing the bank from informing customers of the attack or contacting their registrar and DNS provider.

Pulling the malware apart, the researchers found eight modules, including configuration files with bank URLs, update modules, credential-stealing modules for Microsoft Exchange, Thunderbird, and the local address book, and internet banking control and decryption modules. All of the modules, the researchers said, were talking to a command and control server in Canada.

One of the modules, called Avenger, is a legitimate penetration testing tool used to remove rootkits. But in this case, it had been modified to remove security products running on compromised computers. It was through Avenger that the researchers determined that nine other banks around the world were similarly attacked and owned.

“The bad guys wanted to use that opportunity to hijack operations of the original bank but also drop malware with the capacity to steal money from banks of other countries,” Bestuzhev says.

The researchers also reported finding phishing pages loaded onto bank domains trying to induce victims to enter payment card information.

This plot was hatched at least five months in advance when the Let’s Encrypt certificate was registered. Spear-phishing emails were also discovered targeting local companies using the name of the Brazilian registrar.

Bestuzhev and Assolini believe this could be the avenue the attackers used to run the bank’s DNS settings.

“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad,” Bestuzhev says. “If DNS was under control of the criminals, you’re screwed.”

The researchers stressed the importance of securing the DNS infrastructure and the need to take advantage of features such as two-factor authentication, which most registrars offer, but few customers use.

“That’s exactly what happened with this bank,” Assolini says.

Comments: (1)

A Finextra member
A Finextra member 05 April, 2017, 19:01

WOW! Thanks for the story.

Be the first to give this comment the thumbs up 0 thumb ups!
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Kaspersky Labs links North Korea to Bangladesh Bank heist

Kaspersky Labs links North Korea to Bangladesh Bank heist

04 April 2017  |  7374 views  |  0 comments | 2 tweets | 5 linkedin
Russian hacker pleads guilty over $500m Citadel malware

Russian hacker pleads guilty over $500m Citadel malware

23 March 2017  |  8421 views  |  0 comments | 2 tweets | 8 linkedin
Polish bank malware targets IP addresses in 31 countries - Symantec

Polish bank malware targets IP addresses in 31 countries - Symantec

13 February 2017  |  9349 views  |  0 comments | 14 tweets | 10 linkedin
Turkey's Akbank facing $4m liability after hack

Turkey's Akbank facing $4m liability after hack

16 December 2016  |  14546 views  |  0 comments
JP Morgan hack suspect returns to US to face justice

JP Morgan hack suspect returns to US to face justice

15 December 2016  |  7652 views  |  0 comments | 2 tweets | 3 linkedin
Russian central bank hit by $31m hacks

Russian central bank hit by $31m hacks

05 December 2016  |  6727 views  |  0 comments | 4 tweets | 13 linkedin

Related blogs

Create a blog about this story (membership required)
Visit http://go.jumio.com/finextraAdVisit info.nice.comVisit https://secure.vasco.com

Top topics

Most viewed Most shared
Handelsbanken trials micro contactless cardsHandelsbanken trials micro contactless car...
10406 views comments | 19 tweets | 30 linkedin
Metro Bank opens developer portalMetro Bank opens developer portal
9380 views comments | 5 tweets | 14 linkedin
Anything Visa can do...Mastercard takes time outAnything Visa can do...Mastercard takes ti...
8743 views comments | 6 tweets | 14 linkedin
Citi to streamline corporate receivables with HighRadiusCiti to streamline corporate receivables w...
7747 views comments | 1 tweets | 5 linkedin

Featured job

to GBP £120K base, double ote, benefits
Frankfurt, Germany

Find your next job