BGP Hijacking Attacks Target US Payment Processors

Several payment processing companies in the United States were targeted recently in BGP hijacking attacks whose goal was to redirect users to malicious websites, Oracle reported last week.

The Border Gateway Protocol (BGP) controls the route of data across the Web. BGP hijacking, also known as prefix or route hijacking, is carried out by taking over IP address groups by corrupting the routing tables that store the path to a network.

In the past months, Oracle, which gained deep visibility into Web traffic after acquiring Dyn in 2016, has observed several instances of malicious actors trying to force users to their websites by targeting authoritative DNS servers in BGP hijacking attacks.

The attackers used rogue DNS servers to return forged DNS responses to users trying to access a certain website. They maximized the duration of an attack with long time-to-live (TTL) values in those forged responses so that DNS servers would hold the fake DNS entries in their cache for an extended period.

“[The] perpetrators showed attention to detail, setting the TTL of the forged response to ~5 days. The normal TTL for the targeted domains was 10 minutes (600 seconds). By configuring a very long TTL, the forged record could persist in the DNS caching layer for an extended period of time, long after the BGP hijack had stopped,” explained Doug Madory, Director of Internet Analysis at Oracle’s Internet Intelligence team.

Oracle spotted the first BGP hijacking attempt on July 6, when an Indonesian ISP announced some prefixes associated with Vantiv, a brand owned by US-based payment processing company Worldpay.

The same prefixes were also announced on July 10 by a Malaysian ISP. At the same time, someone hijacked domains associated with Datawire, which is described as a “connectivity service that transports financial transactions securely and reliably over the public Internet to payment processing systems.”

On July 11, someone started hijacking prefixes associated with Mercury Payment Systems, which is also owned by Worldpay. The previously targeted prefixes were then once again hijacked on July 12.

While the initial BGP attacks did not have a significant impact, the last hijacks, which involved Vantiv domains, lasted for nearly three hours, Oracle reported.

A similar attack was seen by the company in April, when cybercriminals attempted to conduct a BGP hijack of Amazon’s authoritative DNS service in an effort to redirect users of a cryptocurrency wallet to a fake website set up to steal their money. Evidence suggests that the recent attacks are linked to the ones from April.

Related: NIST Readies to Tackle Internet’s Global BGP Vulnerabilities