How A Bank Lost Control of its Entire Online Operation

June 12, 2017 mitch tanenbaum Leave a comment

An unnamed but well speculated bank in Brazil (likely Banrisul) had its DNS servers taken over by hackers for a period of about 6 hours one Saturday afternoon last October. Before I explain the impact, let me spend a minute on what DNS is and why it is important.

The Internet works on numbers; humans work with words. If you wanted to visit Google, you could type http://172.217.9174 , but that is kind of hard to remember. It is much easier to type http://google.com . That is role of DNS. From the early days of the Internet, you have been able to type in a word name and DNS translates that to the number that the browser needs to both route the traffic to the right place and also know what that right place is. If that wasn’t bad enough, since we have allocated (but not actually used) all 4 billion or so address combinations, the Internet gurus invented a new addressing strategy called IPv6. In IPv6, there are 340 undecillion addresses (which is a really large number), but in IPv6 language, you would get to Google by going to this address:

http://2607:f8b0:4000:812:;200e

Now try to remember that address!

DNS not only controls addressing for web browsing, but also for email and a lot of other Internet functions, so you can see that if it were compromised or broken, then things would not work very well.

When you register a domain, you tell the registrar where to find the DNS server. If a hacker were to change that, they would control the domain and all servers connected to it.

So here is what happened that nice Saturday afternoon last October.

The attackers took over control of the domain at the registrar, likely by having socially engineered the password, and repointed the web site to an exact clone of the real one that they had created. When people entered their login credentials, they were giving them to the hackers, who could use them to empty the user’s bank account.

Not only that, but the hackers took control over the bank’s email, ATMs and point of sale terminals of the bank’s customers.

For about 6 hours, every way that someone might have to contacting the bank or the bank contacting them was under control of the hackers. The hackers even had look-alike SSL certificates so that HTTPS: would work.

To add insult to injury, when customers visited the bank’s web site, the fake site downloaded malware to the user’s device.

Amazingly, the bank has managed to keep this attack under wraps. I suspect that this did not come without shelling out a lot of dollars. In Brazil businesses may not be required to disclose breaches and might be able to buy silence, say by refunding double the money that a customer lost.

What does this mean for you as a business owner?

Well if an attacker socially engineered a password out of one of your employees and was able to take control of your entire online infrastructure, how would you deal with that?

How would you communicate with your customers? Remember you are trying to do this in a low profile manner, possibly.

How would you recover control of those domains? I was amazed to hear that on a Saturday afternoon in only 6 hours they were able to convince the registrar to give them control back of their account.

Finally, if your registrar supports it, I would strongly recommend enabling two factor authentication, preferably using an authenticator app instead of a text message. This would mean that the attacker would need more than your password to effect the attack.

While this might be done for money, it also might be done for spite. What if the attacker’s fake web site had content on it that put the company in a bad light. Or maybe compromising pictures. The possibilities are endless.

While taking over your DNS may be relatively simple, the consequences may be far reaching.

Information for this post came from Wired.