Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

Cybercriminals Use DNS Poisoning in Brazilian Boleto Fraud Scheme

In recent months, cybercriminals have started relying on DNS poisoning to target Brazilian Boletos, RSA reported on Monday.

Boleto is a popular payment method that allows people in Brazil to purchase services and products by using vouchers instead of credit cards. Boletos can be paid online, at ATMs, banks, post offices, and even in some supermarkets.

In recent months, cybercriminals have started relying on DNS poisoning to target Brazilian Boletos, RSA reported on Monday.

Boleto is a popular payment method that allows people in Brazil to purchase services and products by using vouchers instead of credit cards. Boletos can be paid online, at ATMs, banks, post offices, and even in some supermarkets.

Boleto fraud is a widespread phenomenon in Brazil. In July 2014, RSA reported that cybercriminals had used a specialized malware, dubbed Bolware, to compromise close to 500,000 Boleto transactions over a two-year period. The value of the transactions was estimated at roughly $3.75 billion.

Now, in addition to malware, cybercrooks have started leveraging DNS cache poisoning in their operations. The attackers target the DNS servers of Internet service providers (ISPs) and change the DNS entries for certain bank websites so that their IP addresses are resolved to a rogue server, RSA said.

When one of the ISP’s customers visits the targeted bank’s website, the attackers are able to inject malicious JavaScript into the webpage. The cybercriminals can manipulate the page and even alter the user’s actions in the account.

When a Boleto expires, it can only be paid at the issuer bank and that’s when the cybercrooks make their move. After the expired Boleto’s number is entered on the bank’s website, the JavaScript injected by the attackers manipulates the server’s response and presents the victim with a fake Boleto. In the meantime, the payment details on the new Boleto are directed to the fraudster’s account without the victim realizing what had happened.

The DNS cache poisoning process, which is an important part of this attack, begins with a DNS request made by the attacker for the targeted domain. The DNS server asks the root name server for the entry. However, the attacker floods the DNS server with a fake response for the targeted domain, so the legitimate response from the root server is ignored. The poisoned entry remains in cache for hours and even days, ensuring that users who access the targeted bank’s website are directed to the fake server.

According to RSA, these types of attacks can be prevented by adapting DNSSEC secure DNS extensions, maximizing randomness of port numbers in the server, disabling open recursive name servers, using HTTPS for data transmission, and upgrading modems that could be plagued by vulnerabilities.

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Cybercrime

A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Cybercrime

While there are likely many different approaches, here are a few points that are important for enterprises to consider when evaluating bot solutions.