Exploiting DNS Poisoning in Brazilian Boleto Fraud Scheme

In recent months Brazilian criminal crews have started using DNS poisoning technique to target Brazilian Boletos.

Security experts at RSA reported that DNS poisoning attacks are being used by cybercriminals to target Brazilian Boletos.

What is Boleto?

People in Brazil use popular payment method known as “Boleto” to purchase services and products by using vouchers instead of credit cards. This payment method allows people to pay online, at ATMs, banks, post offices, and even in some general stores.
Boleto fraud is a common phenomenon in Brazil. RSA reported that Cybercriminals compromises approximately 500,000 Boleto transactions over a two year period by using malware known as Bolware in July 2014. The estimated value of the transactions was close to $3.75 billion. Curiously, the Brazilian banking association FEBRABAN in 2012 has provided an optimistic estimation related to financial fraud losses reporting only $700 million.

The Boleto malware implemented the man-in-the-browser technique to exploit vulnerabilities in popular browsers, including Chrome, Firefox and Internet Explorer running on Windows machines.

The malware used in the fraudulent transactions is able to hijack Boleto payments to a series of accounts managed by the crooks and used as money mule accounts.
Cybercriminals started performing DNS cache poisoning in their operations in addition to malware. RSA mentioned, now a day, DNS servers of Internet service providers are being targeted by attackers to modify the DNS entries for certain bank websites so that their systems IP address remain anonymous.

“A new approach to the Boleto fraud has emerged in recent months, the fraudsters were able to use a known technique to poison a DNS entry used by a bank website and redirect the IP address resolution to the fraudster’s HTTP server. This method enables the fraudster to host a fake/substitute JavaScript instead of the original file hosted on the legitimate bank website. The substitute JavaScript controlled by the fraudster can alter the behavior of the target webpage, without the bank customers being aware of the manipulation. The substituted JavaScript file can install any handle on any page in the legitimate website that uses it, and can even perform advanced attacks using existing frameworks.” states a blog post issued by the RSA.

The attackers inject malicious javascript into the webpage which get executed when a user visits the bank website. The cybercriminals are so advanced that they can even deface webpage and alter the action of a legitimate user in the account.
Cybercriminals start monitoring bank website when a Boleto expires because it can be paid at the issuer bank only after expire. When the expired Boleto’s number is entered on the bank’s website, the injected javascript allows attackers to modify the server’s response and presents the victim with a fake Boleto.

Meanwhile, the payment details on the new Boleto gets directed to the attacker’s account without intimating victim.
This attack mainly contains DNS cache poisoning process, in which an attacker makes a DNS request for the targeted domain. The DNS server queries the root name server for the entry. Meanwhile, the attacker sends fake response and flood DNS server for the targeted domain, so the legitimate response can be ignored from the root server. Users who access the targeted bank’s website and directed to the fake server can be found from poisoned entry as it remains in the cache for hours and even for some days.

According to RSA, the three known attack vectors affecting the DNS server are:

1. Bad management of the root password – if the root password of the server isn’t strong enough, it’s only a matter of time before someone can crack it using techniques such as a ‘dictionary attack’[1].
2. Vulnerable server – the server is running outdated and vulnerable software that can be compromised by using a piece of code that is publicly available on the internet.
3. DNS Cache Poisoning – this is a known technique that involves the attacker changing a DNS entry temporarily (which may last days before expiring) via a specific URL.

RSA also provided a few countermeasures which can prevent users to be victims of Boleto Scams. To mitigate this type of attack is suggested to use DNSSEC, which secure DNS extensions, maximize the randomness of port numbers in the server, open recursive name servers should be disabled, data transmission should use HTTPS and upgrade modems timely.

Email id- sumit843302@gmail.com

EDITED by Pierluigi Paganini

(Security Affairs –  RSA, Boleto)