RSA - DNS Poisoning Being Employed Against Brazilian Boletos

Securityweek.com published a recent report of RSA on 10th February, 2015 stating that in recent months, cyber crooks have began depending on DNS (Domain Name Sysytem) poisoning to aim Brazilian Boletos.

The Boleto (Boleto Bancario) especially is a method of payment used mainly in Brazil. It is a payment voucher which can be generated by banks or merchants to enable customers to pay for purchases and services without using their credit card or without having any bank account. These Boleto vouchers can be paid via Internet, at ATMs or at bank branch having these facilities Lottery agents, Post Offices and some supermarkets within the due date mentioned on the voucher.

Now cyber thugs have started exploiting DNS cache poisoning in their campaigns in addition to malware. RSA said that the criminals attack the DNS servers of ISPs (Internet Service Providers) and modify the entries of DNS for specific websites of bank so that their Internet Protocol addresses are resolved to a rouge server.

When one of the customers of ISP visits the website of the targeted bank, the attackers can inject maligned JavaScript into the webpage. They use the fake JavaScript to change the behavior of the targeted webpage without the knowledge of the customer of the Brazilain bank and can start advanced attacks through existing frameworks.

After injecting the malware, the fraudsters get control of the fake JavaScript and they can manipulate pages and control customer accounts and finally capture all information regarding Boleto payment card including new validity and expiry dates which they can use later to make fraudulent transactions.

The DNS cache poisoning method which is a crucial part of this campaign starts with a DNS request made by the scammer for the targeted domain. The server of DNS demands the root name server for the entry. However, the attacker overflows the DNS server with a phony response for the assaulted domain to enable the genuine response to be ignored from the root server. The malicious entry remains in cache for hours and even for days which ensures that users accessing targeted website of the bank are guided to the fake server.

These attacks can be minimized by undertaking DNSSEC stable DNS extensions using the HTTPS protocol completely to transmit knowledge amongst a host of others.

» SPAMfighter News - 2/18/2015