back to article Brazilians whacked: Crooks hijack bank's DNS to fleece victims

Rather than picking off online banking customers one by one, ambitious hackers took control of a Brazilian bank's entire DNS infrastructure to rob punters blind. The heist, detailed by security engineers at Kaspersky Lab, took place over about five hours on Saturday October 22, 2016, after the miscreants managed to get control …

  1. Nick Kew
    WTF?

    Six months ago!

    Um, how long does disclosure take?

    This just highlights the uselessness of crypto with the single point of failure represented by today's browser trust lists and CAs.

    Though something smells a bit suspicious about the lack of specificity here. Why break a story like this without naming the bank?

    1. AJames

      Re: Six months ago!

      The story came from security company Kaspersky Labs, provided to the press without details identifying the actual bank, so difficult to verify. It was announced at their Security Summit getaway on the Caribbean island of St. Maarten (see https://blog.kaspersky.com/what-is-sas/14411/). The reporters that got permission to attend this event had to file some stories to justify the budget!

  2. LDS Silver badge

    "Let's Encrypt" abused. What a surprise...

    Browser should notify that Let's Encrypt certificates means only "encrypted communication" with an UNKNOWN party.

    1. Warm Braw Silver badge

      Re: "Let's Encrypt" abused. What a surprise...

      Given this recent revelation I'm beginning to wonder if "Let's Encrypt" creates a bigger problem than it solves. Mind you, entangling encryption and identification was not a great idea in hindsight...

      1. Richard Boyce

        Re: "Let's Encrypt" abused. What a surprise...

        Criminals use security, so maybe you're thinking that security should be banned. Are you a politician?

        1. Warm Braw Silver badge

          Re: "Let's Encrypt" abused. What a surprise...

          >maybe you're thinking that security should be banned

          No. Encryption does not require the existence of a certificate. I'm thinking that perhaps that if the goal was to provide encryption everywhere it would have been a better idea to build it in to browsers and webservers rather than overload the mechanism that is supposed to be for identity assurance confusing users and offering criminals a cost-free way of acquiring certificates for dodgy domains in bulk.

        2. LDS Silver badge

          Re: "Let's Encrypt" abused. What a surprise...

          If you believe that "security" means issuing certificates to anybody without any vetting, just because it allows encryption, you have a very wrong meaning of security.

          "Encryption" doesn't mean security if you don't know who is on the other side. Actually, MitM through proxy able to plant a CA on you device are exactly a way to render encryption useless. If "Let's Encrypt" certificates are not issued reliably, it risks to become the biggest MitM provider around.

          People have been brainwashed - by people who have a political agenda as well, like FSF and friends - to believe encryption *alone* will solve all their problems - but without authentication of the parties, encryption is almost useless.

          1. This post has been deleted by its author

        3. Anonymous Coward
          Anonymous Coward

          Re: "Let's Encrypt" abused. What a surprise...

          Rubber Stamp Certificates should be banned, because they make the whole thing pointless(apart from the encryption)!

          Free certificate, no background check to speak of(because of Free), and the idea of a Certificate AUTHORITY goes out the window!

          i.e:

          It starts with something not being Certified, because verification costs money and may take time.

          Then someone invents a way to give you a cert. for nothing, but it is mostly worthless because the Verification part was left out(no money to do it). All you got is a cert that tells browsers that this cert and this domain belongs together, but makes very little effort to Verify that this domain is controlled by §BigBankSomewhere, rather than ISIS, PKK or InsertNoGoodOrgHere..

          A rather good explanation is here:

          www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html

          This development is what is also known as Ad Absurdum!

    2. Aitor 1

      Re: "Let's Encrypt" abused. What a surprise...

      ALL the certificates mean that.

      The problem here is that the miscreants could prove they had control of the domains.. so any cert company would have issued the certs.

    3. Vagnerr

      Re: "Let's Encrypt" abused. What a surprise...

      LDS Said

      > Browser should notify that Let's Encrypt certificates means

      > only "encrypted communication" with an UNKNOWN party.

      It kind of does.

      The default "cheapest" SSL certs you can get either free from Lets Encrypt, or reasonably cheap from other providers, only report in the browser as "Secure" and with control of the domain you could have acquired a cert reasonably quickly from any provider. What banks and other important organisations will have is an "extended validation cert" where the issuer would have actually called the organisation and required documentary evidence to prove that they are really "ACME Banking Corp" in which case the browser will report the company name in the URL bar, not just the word "Secure".

      Of course the difference is quite subtle for most normal users and that is where the problem lies.

      1. LDS Silver badge

        Re: "Let's Encrypt" abused. What a surprise...

        Still, default certificates have a cost, and could may be a little more traceable - but really dodgy CA - than Let's Encrypt (which is, aptly, Let's Encrypt, not Let's Secure).

        Not that CA ever released certificates to allow misrepresenting dodgy sites, or allow MitM, but after some were kicked out by major browsers/OSes, maybe some more checks have been implemented. Hope Let's Encrypt will become more careful as well.

        But IMHO there should be two types of certificates - those that also properly authenticate the endpoint and are shown "green", and those that don't, and should also have a visible warning that the communication is encrypted, but with an "unverified" party. Say red = "encrypted", yellow = "encrypted, but not verified", green = "encrypted and verified".

        1. asdf

          Re: "Let's Encrypt" abused. What a surprise...

          >maybe some more checks have been implemented. Hope Let's Encrypt will become more careful as well.

          There will always be another race to the bottom company willing to join the lucrative x.509 circle jerk to take its place.

          1. LDS Silver badge

            Re: "Let's Encrypt" abused. What a surprise...

            That's the real issue, has happened with domain names. Vetting has costs. The simplest way to sell cheaper is automating it and remove vetting. While users don't accept security too costs.

            Thus this becomes a regulations problem, not a technical one.

            I believe there should be something alike 'tier 1' certificates (fully vetted), and some businesses (banks, payment systems, e-commerce, etc.) should be required to use them. Something alike EV, but mandatory. Do you want my money? Spend some for a good cert...

            Then there could be certificates issued with fewer checks, but applications using them should identify them as such. And cheap issuers with no checks should be treated just alike plain communications.

  3. Your alien overlord - fear me
    Facepalm

    was this for Real (geddit?)

  4. adam payne

    "The heist, detailed by security engineers at Kaspersky Lab, took place over about five hours on Saturday October 22, 2016, after the miscreants managed to get control of the bank's DNS hosting service using targeted attacks. They managed to transfer all 36 of the bank's domains to phony websites that used free HTTPS certs from Let's Encrypt."

    Sounds like the DNS hosting provider has some seriously explaining to do.

    1. Anonymous Coward
      Anonymous Coward

      Explaining...

      Unless it was an inside job.

      1. psychonaut
        Coat

        Re: Explaining...

        for ingrowing hairs? an internal brazilian job? that does not sound great

        alright, alright,i'll get my other coat as well

    2. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Brazilian

    Looks like they stopped the crims just short of them taking everything.

    1. psychonaut
      Coat

      Re: Brazilian

      yeah, it was a close shave

      alright, i'll get my coat... ----------->>

  6. Martijn Otto

    Yet Another Reason

    Why we should all be using dnssec.

    1. sitta_europea Silver badge

      Re: Yet Another Reason

      I've been banging on about this for years - several times in this medium.

      Nobody is listening, least off all the banks.

      1. returnofthemus

        Re: Yet Another Reason

        Not to bank online

    2. asdf

      Yep

      opkg install unbound

      Its just too bad it seems like most of the tor DNS aren't running DNSSEC if I remember right. But that is more for the vast majority of traffic that isn't banking I suppose. The other problem with DNSSEC for non techies is grandma will sh1t her Sears panties when she gets a 404 error. Probably better than the alternative but the public doesn't much want to troubleshoot DNS problems.

      1. asdf

        Re: Yep

        Which is would happen if less than 5% of users are using DNSSEC. 404 errors wouldn't get corrected quickly. Chicken and egg situation.

  7. philmck

    Security headers would have prevented this

    A quick check of https://observatory.mozilla.org/ or one of the related sites it uses would have avoided this. It might be a bit over the top for a simple shopfront site, but for a bank not to do this is downright negligent.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security headers would have prevented this

      > but for a bank not to do this is downright negligent.

      in the third world things like planes are allowed to book trips longer than the range of the aircraft so this is probably a lower priority in the scheme of corruption. This is still likely at least partly an inside job probably by someone with connections.

  8. Anonymous Coward
    Terminator

    Kaspersky Lab digs under the covers of the attack

    That's a highly detailed technical analysis of the banking cyber heist. Of course this DNS hijack wouldn't work without the click-and-install malware infiltrating the target desktop computer. Now all I want to know is, what was the name of this Brazilian bank?

    .. malware, Java file, zip archive, JAR file, iframe, DNS provider, credential-stealing module, Microsoft Exchange, Thunderbird ..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021