Brazilian ISPs hit with massive DNS cache poisoning attacks
Posted on 07 November 2011.
A massive DNS cache poisoning attack attempting to infect users trying to access popular websites is currently under way in Brazil, warns Kaspersky Lab expert Fabio Assolini.

"Brazil has some big ISPs. Official statistics suggest the country has 73 million computers connected to the Internet, and the major ISPs average 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge," he points out.

And that is exactly what has been happening during last week. Users trying to reach Google, YouTube, Facebook and other popular global and local sites were being faced with pop-up windows telling them to install "Google Defence" and similar thematic software or Java applet in order to be able to access the wanted site:


Unfortunately for those who fell for the trick, the offered software was a banking Trojan - for a long time now the preferred weapon of choice of Brazilian cyber crooks. According to Kaspersky, the same IP address hosted a number of malicious files and several exploits, and targeted users seem to be exclusively from Brazil.

Among the different ways in which a DNS cache poisoning attack can be executed, the simplest option for the attackers is to pay an employee who has access to the DNS records to modify them so that user are redirected to the malicious site. And, as it seems, that is exactly what they did.

Assolini notes that last week the Brazilian police has arrested an employee of an ISP located in the south of the country, and that he stands accused of changing his employer's DNS cache and redirecting users to phishing websites - no doubt at the behest of the people running them. "We strongly suspect similar security breaches will be happening in other small and medium ISPs in the country," Assolini commented.

But random Internet users are not the only one who have been targeted by this type of attack. Employees of various companies have also been seeing similar pop-up windows when they tried to access any website. Once again, they were actually offered a banking Trojan for download.

The attack was made possible by flaws in the networking equipment used by their companies. Routers and modems were accessed remotely by attackers who changed the devices' DNS configurations.






Spotlight

eBook: Cybersecurity for Dummies

Posted on 16 December 2014.  |  APTs have changed the world of enterprise security and how networks and organizations are attacked. These threats, and the cybercriminals behind them, are experts at remaining hidden from traditional security while exhibiting an intelligence, resiliency, and patience that has never been seen before.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Thu, Dec 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //