Incident Response, Malware, TDR

MitM attackers posing as banks, other major groups, tough to detect

Hackers are compromising online banking and social media users in a man-in-the-middle (MitM) attack campaign that involves posing as major organizations – and they are doing it without setting off alerts, according to researchers with PhishLabs.

More than 70 recognizable financial organizations around the globe have been targeted so far in the campaign, according to PhishLabs research, which adds that attackers posed as more than 25 other major websites for the purposes of gathering credentials, including social media and email.

The attack begins as many do – with spam.

The PhishLabs researchers observed spam emails containing RTF files – named ‘Authorization Form,' or something similar, to lure the user into opening it – that are actually backdoor Remote Administration Tools (RAT) that surreptitiously execute upon being clicked.

Upon execution, the malware reconfigures the DNS settings on the infected PC so that it uses the DNS server controlled by the hacker, Don Jackson, director of threat intelligence with PhishLabs, wrote in a Wednesday post.

“The DNS changes point to the hacker's clandestine DNS name server so that users are directed to proxy servers instead of legitimate sites,” Jackson wrote, explaining the malware also installs “a root certificate for a rogue [Certificate Authority]” so that the user is not alerted by error warnings.

With all that in place, the attacker can now pose as any site of their choosing, according to the post, which explains how, in the case of a bank, the hacker can see information sent between the victim and bank, modify the information, ask for additional information, lock out the user, or create new requests for unauthorized transactions.

“None of the attacks used separate servers for DNS and web proxy services,” Jackson wrote. “The servers were located on hosting company networks in the UK and in Central or Eastern Europe.”

Victims will typically not know what hit them until they receive a notice that their accounts are overdrawn, Jackson told in a Wednesday email correspondence. He said being wary of attachments and links in emails, and keeping anti-virus definitions updated are some best practices for avoiding this attack.

“From the targeted organization's perspective, this activity can be difficult to detect,” Jackson said. “All of the normal indications that a user's activity is authorized – login credentials, cookies, browser fingerprinting – all appear to be normal.”

Not all hope is lost when it comes to detecting the attack, however.

“The one possible indicator visible to the web server of a targeted organization is the IP address,” Jackson explained. “The web server will see the connection as coming from the attacker's proxy server, not from the actual IP address of the customer's computer. The trick is how to know the difference, since some users do go through legitimate proxies regularly.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.