Security Experts:

Connect with us

Hi, what are you looking for?



BGP Hijacking Attacks Target US Payment Processors

Several payment processing companies in the United States were targeted recently in BGP hijacking attacks whose goal was to redirect users to malicious websites, Oracle reported last week.

Several payment processing companies in the United States were targeted recently in BGP hijacking attacks whose goal was to redirect users to malicious websites, Oracle reported last week.

The Border Gateway Protocol (BGP) controls the route of data across the Web. BGP hijacking, also known as prefix or route hijacking, is carried out by taking over IP address groups by corrupting the routing tables that store the path to a network.

In the past months, Oracle, which gained deep visibility into Web traffic after acquiring Dyn in 2016, has observed several instances of malicious actors trying to force users to their websites by targeting authoritative DNS servers in BGP hijacking attacks.

The attackers used rogue DNS servers to return forged DNS responses to users trying to access a certain website. They maximized the duration of an attack with long time-to-live (TTL) values in those forged responses so that DNS servers would hold the fake DNS entries in their cache for an extended period.

“[The] perpetrators showed attention to detail, setting the TTL of the forged response to ~5 days. The normal TTL for the targeted domains was 10 minutes (600 seconds). By configuring a very long TTL, the forged record could persist in the DNS caching layer for an extended period of time, long after the BGP hijack had stopped,” explained Doug Madory, Director of Internet Analysis at Oracle’s Internet Intelligence team.

Oracle spotted the first BGP hijacking attempt on July 6, when an Indonesian ISP announced some prefixes associated with Vantiv, a brand owned by US-based payment processing company Worldpay.

The same prefixes were also announced on July 10 by a Malaysian ISP. At the same time, someone hijacked domains associated with Datawire, which is described as a “connectivity service that transports financial transactions securely and reliably over the public Internet to payment processing systems.”

On July 11, someone started hijacking prefixes associated with Mercury Payment Systems, which is also owned by Worldpay. The previously targeted prefixes were then once again hijacked on July 12.

While the initial BGP attacks did not have a significant impact, the last hijacks, which involved Vantiv domains, lasted for nearly three hours, Oracle reported.

A similar attack was seen by the company in April, when cybercriminals attempted to conduct a BGP hijack of Amazon’s authoritative DNS service in an effort to redirect users of a cryptocurrency wallet to a fake website set up to steal their money. Evidence suggests that the recent attacks are linked to the ones from April.

Related: NIST Readies to Tackle Internet’s Global BGP Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...