In recent months, cybercriminals have started relying on DNS poisoning to target Brazilian Boletos, RSA reported on Monday.
Boleto is a popular payment method that allows people in Brazil to purchase services and products by using vouchers instead of credit cards. Boletos can be paid online, at ATMs, banks, post offices, and even in some supermarkets.
Boleto fraud is a widespread phenomenon in Brazil. In July 2014, RSA reported that cybercriminals had used a specialized malware, dubbed Bolware, to compromise close to 500,000 Boleto transactions over a two-year period. The value of the transactions was estimated at roughly $3.75 billion.
Now, in addition to malware, cybercrooks have started leveraging DNS cache poisoning in their operations. The attackers target the DNS servers of Internet service providers (ISPs) and change the DNS entries for certain bank websites so that their IP addresses are resolved to a rogue server, RSA said.
The DNS cache poisoning process, which is an important part of this attack, begins with a DNS request made by the attacker for the targeted domain. The DNS server asks the root name server for the entry. However, the attacker floods the DNS server with a fake response for the targeted domain, so the legitimate response from the root server is ignored. The poisoned entry remains in cache for hours and even days, ensuring that users who access the targeted bank’s website are directed to the fake server.
According to RSA, these types of attacks can be prevented by adapting DNSSEC secure DNS extensions, maximizing randomness of port numbers in the server, disabling open recursive name servers, using HTTPS for data transmission, and upgrading modems that could be plagued by vulnerabilities.