Security experts at RSA reported that DNS poisoning attacks are being used by cybercriminals to target Brazilian Boletos.
What is Boleto?
People in Brazil use popular payment method known as “Boleto” to purchase services and products by using vouchers instead of credit cards. This payment method allows people to pay online, at ATMs, banks, post offices, and even in some general stores.
Boleto fraud is a common phenomenon in Brazil. RSA reported that Cybercriminals compromises approximately 500,000 Boleto transactions over a two year period by using malware known as Bolware in July 2014. The estimated value of the transactions was close to $3.75 billion. Curiously, the Brazilian banking association FEBRABAN in 2012 has provided an optimistic estimation related to financial fraud losses reporting only $700 million.
The Boleto malware implemented the man-in-the-browser technique to exploit vulnerabilities in popular browsers, including Chrome, Firefox and Internet Explorer running on Windows machines.
The malware used in the fraudulent transactions is able to hijack Boleto payments to a series of accounts managed by the crooks and used as money mule accounts.
Cybercriminals started performing DNS cache poisoning in their operations in addition to malware. RSA mentioned, now a day, DNS servers of Internet service providers are being targeted by attackers to modify the DNS entries for certain bank websites so that their systems IP address remain anonymous.
Meanwhile, the payment details on the new Boleto gets directed to the attacker’s account without intimating victim.
This attack mainly contains DNS cache poisoning process, in which an attacker makes a DNS request for the targeted domain. The DNS server queries the root name server for the entry. Meanwhile, the attacker sends fake response and flood DNS server for the targeted domain, so the legitimate response can be ignored from the root server. Users who access the targeted bank’s website and directed to the fake server can be found from poisoned entry as it remains in the cache for hours and even for some days.
According to RSA, the three known attack vectors affecting the DNS server are:
RSA also provided a few countermeasures which can prevent users to be victims of Boleto Scams. To mitigate this type of attack is suggested to use DNSSEC, which secure DNS extensions, maximize the randomness of port numbers in the server, open recursive name servers should be disabled, data transmission should use HTTPS and upgrade modems timely.
Institute – Indian Institute of Information Technology- Allahabad
Email id- email@example.com
EDITED by Pierluigi Paganini
(Security Affairs – RSA, Boleto)