30 April 2017
Visit EBAday.com

How hackers took complete control of a legit Brazilian bank

05 April 2017  |  10512 views  |  1 programming code hipster

A Brazilian bank had its entire IT operations taken over by hackers in a 'stunning compromise' that saw each of its 36 domains, corporate email and DNS under the attacker’s control.

The three-month long heist was uncovered last October when it became apparent the bank’s Website was serving malware to each of its visitors. The malware was a Java file tucked inside a .zip archive loaded into the index file.

Detailing the online assault at the Security Analyst Summit, Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev said that the attackers had extended their operations to nine other institutions worldwide.

The unidentified bank claims five million customers in Brazil, the US, Argentina and Grand Cayman and manages $25 billion in assets from a network of 500 branches.

“Every single visitor got a plugin with the JAR file inside,” Bestuzhev says, adding that the attackers had control of the site’s index file. Within the index, an iframe was loaded and it was redirecting visitors to a website from where the malware was being dropped.

The hackers had seized control of the bank's DNS hosting service, transferring all 36 of the bank's domains to phony websites that used free HTTPS certs from Let's Encrypt.

“All domains, including corporate domains, were in control of the bad guy,” Assolini says, adding that the attackers also were inside the corporate email infrastructure and shut it down, preventing the bank from informing customers of the attack or contacting their registrar and DNS provider.

Pulling the malware apart, the researchers found eight modules, including configuration files with bank URLs, update modules, credential-stealing modules for Microsoft Exchange, Thunderbird, and the local address book, and internet banking control and decryption modules. All of the modules, the researchers said, were talking to a command and control server in Canada.

One of the modules, called Avenger, is a legitimate penetration testing tool used to remove rootkits. But in this case, it had been modified to remove security products running on compromised computers. It was through Avenger that the researchers determined that nine other banks around the world were similarly attacked and owned.

“The bad guys wanted to use that opportunity to hijack operations of the original bank but also drop malware with the capacity to steal money from banks of other countries,” Bestuzhev says.

The researchers also reported finding phishing pages loaded onto bank domains trying to induce victims to enter payment card information.

This plot was hatched at least five months in advance when the Let’s Encrypt certificate was registered. Spear-phishing emails were also discovered targeting local companies using the name of the Brazilian registrar.

Bestuzhev and Assolini believe this could be the avenue the attackers used to run the bank’s DNS settings.

“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad,” Bestuzhev says. “If DNS was under control of the criminals, you’re screwed.”

The researchers stressed the importance of securing the DNS infrastructure and the need to take advantage of features such as two-factor authentication, which most registrars offer, but few customers use.

“That’s exactly what happened with this bank,” Assolini says.

Comments: (1)

Chris Yaldezian
Chris Yaldezian - IBM (Software Group) - San Ramon | 05 April, 2017, 19:01

WOW! Thanks for the story.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Kaspersky Labs links North Korea to Bangladesh Bank heist

Kaspersky Labs links North Korea to Bangladesh Bank heist

04 April 2017  |  4998 views  |  0 comments | 2 tweets | 5 linkedin
Russian hacker pleads guilty over $500m Citadel malware

Russian hacker pleads guilty over $500m Citadel malware

23 March 2017  |  7243 views  |  0 comments | 2 tweets | 7 linkedin
Polish bank malware targets IP addresses in 31 countries - Symantec

Polish bank malware targets IP addresses in 31 countries - Symantec

13 February 2017  |  7910 views  |  0 comments | 14 tweets | 10 linkedin
Turkey's Akbank facing $4m liability after hack

Turkey's Akbank facing $4m liability after hack

16 December 2016  |  12995 views  |  0 comments
JP Morgan hack suspect returns to US to face justice

JP Morgan hack suspect returns to US to face justice

15 December 2016  |  6777 views  |  0 comments | 2 tweets | 3 linkedin
Russian central bank hit by $31m hacks

Russian central bank hit by $31m hacks

05 December 2016  |  5907 views  |  0 comments | 4 tweets | 13 linkedin

Related blogs

Create a blog about this story (membership required)
Find out morevisit dh.comVisit capgemini.com

Top topics

Most viewed Most shared
Six global banks join Swift DLT trialsSix global banks join Swift DLT trials
7923 views comments | 16 tweets | 36 linkedin
BBVA steps up fintech acquisition strategy with purchase of OpenpayBBVA steps up fintech acquisition strategy...
7083 views comments | 17 tweets | 16 linkedin
JPMorgan formally quits R3JPMorgan formally quits R3
6670 views comments | 25 tweets | 15 linkedin
Should central banks open up payment and settlement systems to non-banks?Should central banks open up payment and s...
6228 views comments | 22 tweets | 21 linkedin
Token raises $15.7 million as PSD2 approachesToken raises $15.7 million as PSD2 approac...
5994 views comments | 20 tweets | 20 linkedin

Featured job

Six Figure Base + Commission + Stock Options

Find your next job