A Brazilian bank had all of its 36 domains and other online assets seized by hackers who then used the pages to push malware onto the banks customers.
The attack was first noticed in October 2016 when two Kaspersky Labs researchers, Fabio Assolini and Dmitry Bestuzhev, realized that what they initially believed was a basic site hijacking was in fact a case where someone had taken control of the site’s index file. The malicious actors then injected an iframe that redirected the bank’s customers and other visitors to another website where they were exposed to a zipped Java plugin containing malware. At the same time this gave them control of the bank’s corporate email and DNS.
The attack was very complicated in bot concept and execution. The findings were released this week at the Security Analyst Summit.
The researchers found that the unnamed bank’s website was displaying a valid SSL certificate, one that was added to the site the day before it began spewing malware to all comers. An act Bestuzhev called “interesting”, according to a Threatpost report.
The Kaspersky team was able to determine that the attackers began planning the hack five months earlier when the SSL certificate was registered. Their line of thought then follows that the cybercriminals used a spearphishing attack targeting an employee who had access to the banks DNS tables using the name of the certificate authority, Let’s Encrypt.
“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad. If DNS was under control of the criminals, you’re screwed,” Bestuzhev told ThreatPost.
By installing their own SSL certificate and thus making the site look secure to an outsider the criminals were able to spoof even a web savvy person.
“Cybercriminals can now steal money by taking advantage of the one security measure every Internet user has been trained to trust: the green padlock in web browsers. These padlocks are supposed to signify a trusted digital certificate is in use, but now bad actors can obtain them for free,” Kevin Bocek, Venafi’s chief security strategist, told SC Media.
The end result of the attackers gaining control over every aspect of the bank’s online presence was everyone who came to the site was hit with the malware-laced plugin.
The researchers noted that this could have been avoided if two-factor authentication had been used to secure the DNS infrastructure.