DNS Cache Poisoning Used in Brazilian Phishing Attack

Security researchers from cloud security provider Zscaler have detected a phishing attack that used DNS cache poisoning to direct victims to a spoofed banking website.

The unusual attack was detected in Brazil and targeted customers of Banco Santander Brasil, one of the largest banks in the country.

According to Zscaler, attackers managed to force several DNS servers to resolve santander.com.br to an IP address under their control.

The spoofed page hosted on the rogue web server was very well crafted and looked identical to the real one.

The researchers don't mention how the servers were compromised, whether they were vulnerable to remote DNS cache poisoning or the hackers compromised them by other means and manually inserted the rogue DNS entries.

"In such a situation, phishers do not need to blast e-mails to random Brazilian e-mail accounts. They just need to wait for the Santander customers to login into their bank account, when accessing the site via the poisoned DNS servers," Zscaler's Julien Sobrier explains.

This type of phishing attack is very hard to detect and block. Victims have no indication that they are on a different website, except for the lack of HTTPS which should be present on any login page.

Furthermore, blacklist-based defenses don't work because there is no rogue URL to block. "A week later, the phishing site is still up. It is not blocked by Phishtank or Google Safe Browsing," the Zscaler researcher notes.

Fortunately, the affected DNS servers have been cleaned up and are now functional properly. The number of potentially affected users is not known.

While server-based compromises are more effective, LAN or computer-level DNS attacks are also dangerous. There are trojans known to register rogue DNS servers on local networks or configure static DNS entries on clients.