Network News

X My Profile
View More Activity

Hack Against ISP Hijacks Bank, Google Adsense

Hackers hijacked a major Brazilian ISP this month in a sophisticated attack that silently served up malicious software and phishing scams to more than a million customers.

According to Brazilian news outlet Globo.com, unknown attackers hijacked the domain name system (DNS) records for NET Virtua, a broadband provider that serves at least 1.4 million customers in the region.

NET Virtua's DNS records reportedly were hijacked on April 11, so that customers who visited any site that ran Google Adsense content were redirected to a site that tried to install and run a Java applet that in turn installed a Trojan horse program.

Globo.com said the attackers also took aim at Bradesco, one of Brazil's largest financial institutions. NET Virtua customers who tried to visit Bradesco.com.br during the four hours the DNS records were hijacked were redirected to a counterfeit version of the site designed to steal customer credentials, the story notes.

Giovana Battiferro, a spokesperson for NET, said in a statement e-mailed to Security Fix that the company "did all the necessary technical tests and didn't find any occurrence" of a DNS hijacking. The Globo.com story, meanwhile, cites a NET ombudsman as acknowledging that at least 1 percent of its customer base was affected.

Ronaldo Castro de Vasconcellos, who helps maintain Securityguys.com.br, a mailing list of Brazilian penetration testers and other security professionals, told Security Fix that lookups he conducted while the attack was underway show that visitors to Bradesco's bank were redirected to a Web site in South Korea.

DNS is akin to the White Pages for the Internet, mapping domain names, like example.com, to numeric Internet addresses. Just as people typically move to a new home every so often, Web sites sometimes change their numeric address. DNS is what helps your Web browser find a site like example.com no matter how many times example.com changes its numeric address.

DNS based attacks can be devastating because they undermine everything we take for granted about Web browsing. Late last year, attackers hijacked the DNS records of Checkfree.com, the largest online bill-paying service, redirecting would-be visitors to a site in Ukraine that served up malicious software.

Also, changes to DNS records take time to propagate out across the Internet, so poisoned DNS records can remain cached at various locations around the Web for up to 48 hours after the affected entity has been fixed.

An excellent, free service that can help protect against these attacks -- no matter which network you happen to be on -- is OpenDNS. It will not prevent all types of DNS hijacking attacks, such as the Checkfree.com attack (where the company's DNS records were altered at the domain registrar level). But in my opinion, it's far safer than accepting whatever DNS records the network you happen to be on decides to hand to you.

If you have questions about this DNS attacks, or any other tech or security matter, join me today at 11 a.m. for a live Web chat.

By Brian Krebs  |  April 24, 2009; 7:33 AM ET
Categories:  Latest Warnings , Safety Tips  | Tags: NET Virtua, bradesco, dns hijack, opendns  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Earthlink Outage Blamed on Earth Day Power Failure
Next: Planting Your Flag at Social Networking Sites

Comments

One of our customers believes he encountered this. We asked him to describe his experience at the link below. Not sure if he has/will, though.

http://download.cnet.com/AppGuard/3000-2239_4-10912598.html

Posted by: eiverson1 | April 24, 2009 12:23 PM | Report abuse

This has to be one of the most elaborate hijacks yet. What do we do? Go back to using numeric addresses again? The banks have to wake up to this threat and so does everyone else with a website.

On a positive note, could this be the beginning of the end for phishing scams? Most of them are easy to spot, but there have obviously been enough people responding for them to be worthwhile. Maybe the hackers are seeing diminishing returns from their traditional methods and are moving on to increasingly elaborate schemes?

Posted by: datadefender | April 24, 2009 7:16 PM | Report abuse

"What do we do?"

I have made a secure resolver for windows that protects you against DNS cache poisoning.

See

http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/

Brian: maybe you would like to do a piece on this? Mostly the DNS industry is wringing it's hands and hoping DNSSEC will be deployed ( will take many, many years ), I decided to do something practical.

Posted by: geebee2 | April 30, 2009 11:37 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company