Security Experts:

Cybercriminals Use DNS Poisoning in Brazilian Boleto Fraud Scheme

In recent months, cybercriminals have started relying on DNS poisoning to target Brazilian Boletos, RSA reported on Monday.

Boleto is a popular payment method that allows people in Brazil to purchase services and products by using vouchers instead of credit cards. Boletos can be paid online, at ATMs, banks, post offices, and even in some supermarkets.

Boleto fraud is a widespread phenomenon in Brazil. In July 2014, RSA reported that cybercriminals had used a specialized malware, dubbed Bolware, to compromise close to 500,000 Boleto transactions over a two-year period. The value of the transactions was estimated at roughly $3.75 billion.

Now, in addition to malware, cybercrooks have started leveraging DNS cache poisoning in their operations. The attackers target the DNS servers of Internet service providers (ISPs) and change the DNS entries for certain bank websites so that their IP addresses are resolved to a rogue server, RSA said.

When one of the ISP’s customers visits the targeted bank’s website, the attackers are able to inject malicious JavaScript into the webpage. The cybercriminals can manipulate the page and even alter the user’s actions in the account.

When a Boleto expires, it can only be paid at the issuer bank and that’s when the cybercrooks make their move. After the expired Boleto’s number is entered on the bank’s website, the JavaScript injected by the attackers manipulates the server’s response and presents the victim with a fake Boleto. In the meantime, the payment details on the new Boleto are directed to the fraudster’s account without the victim realizing what had happened.

The DNS cache poisoning process, which is an important part of this attack, begins with a DNS request made by the attacker for the targeted domain. The DNS server asks the root name server for the entry. However, the attacker floods the DNS server with a fake response for the targeted domain, so the legitimate response from the root server is ignored. The poisoned entry remains in cache for hours and even days, ensuring that users who access the targeted bank’s website are directed to the fake server.

According to RSA, these types of attacks can be prevented by adapting DNSSEC secure DNS extensions, maximizing randomness of port numbers in the server, disabling open recursive name servers, using HTTPS for data transmission, and upgrading modems that could be plagued by vulnerabilities.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.