Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

Cybercriminals Use DNS Poisoning in Brazilian Boleto Fraud Scheme

In recent months, cybercriminals have started relying on DNS poisoning to target Brazilian Boletos, RSA reported on Monday.

Boleto is a popular payment method that allows people in Brazil to purchase services and products by using vouchers instead of credit cards. Boletos can be paid online, at ATMs, banks, post offices, and even in some supermarkets.

In recent months, cybercriminals have started relying on DNS poisoning to target Brazilian Boletos, RSA reported on Monday.

Boleto is a popular payment method that allows people in Brazil to purchase services and products by using vouchers instead of credit cards. Boletos can be paid online, at ATMs, banks, post offices, and even in some supermarkets.

Boleto fraud is a widespread phenomenon in Brazil. In July 2014, RSA reported that cybercriminals had used a specialized malware, dubbed Bolware, to compromise close to 500,000 Boleto transactions over a two-year period. The value of the transactions was estimated at roughly $3.75 billion.

Now, in addition to malware, cybercrooks have started leveraging DNS cache poisoning in their operations. The attackers target the DNS servers of Internet service providers (ISPs) and change the DNS entries for certain bank websites so that their IP addresses are resolved to a rogue server, RSA said.

When one of the ISP’s customers visits the targeted bank’s website, the attackers are able to inject malicious JavaScript into the webpage. The cybercriminals can manipulate the page and even alter the user’s actions in the account.

When a Boleto expires, it can only be paid at the issuer bank and that’s when the cybercrooks make their move. After the expired Boleto’s number is entered on the bank’s website, the JavaScript injected by the attackers manipulates the server’s response and presents the victim with a fake Boleto. In the meantime, the payment details on the new Boleto are directed to the fraudster’s account without the victim realizing what had happened.

The DNS cache poisoning process, which is an important part of this attack, begins with a DNS request made by the attacker for the targeted domain. The DNS server asks the root name server for the entry. However, the attacker floods the DNS server with a fake response for the targeted domain, so the legitimate response from the root server is ignored. The poisoned entry remains in cache for hours and even days, ensuring that users who access the targeted bank’s website are directed to the fake server.

According to RSA, these types of attacks can be prevented by adapting DNSSEC secure DNS extensions, maximizing randomness of port numbers in the server, disabling open recursive name servers, using HTTPS for data transmission, and upgrading modems that could be plagued by vulnerabilities.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Application Security

Video messaging giant Zoom has released patches for multiple security vulnerabilities that expose both Windows and macOS users to malicious hacker attacks.The vulnerabilities, in...