Cybercrime Directed at Polish Banks

Polish BanksCERT Polska (the Polish Computer Emergency Response Team) has uncovered a Hack of Mass Destruction directed against the Polish Banking sector. This attack modified the DNS settings on victims routers, and then a simple man-in-the-middle attack was launched after the rogue DNS servers misdirected users to what they thought was their bank’s website. The attack was obviously aimed at stealing banking credentials, and eventually money.

The problem started when iPhone users in Poland began complaining about strange occurrences when connecting to their bank’s website. The obvious culprit would be a virus on the iPhone platform which is possible but not likely. Further investigation turned up nothing as no virus was on the phone.

Eventually, the problem was traced back to a DNS server that was under the control of cybercriminals. It’s understandable that it took a while to figure this out because a modified DNS setting would not be an obvious place to look, something that makes attacking it so bad. In fact, the attack could be made even more difficult to detect if the affected DNS server only passed back the incorrect IP address resolution every so often and not every time.

The hackers did launch a man-in-the-middle attack against the banks and spoofed the bank’s website. But there was one thing they could not do – spoof the bank’s SSL certificate. Because of that, they simply prefixed the bank’s address with “ssl-” and modified any links necessary. It would take an alert user to see this deception.

Przemyslaw Jaroszewski, head of incident response with CERT Polska said “There is a vulnerability in Zyxel firmware (used in TPLink and DLink routers, among others) that was made a month ago, which allows for exactly this kind of attack. However, we know for sure that the [DNS redirection attacks] were already there in late December.”

Authorities claim that the number of routers compromised in the attack was in the thousands, however there are 1.2 million routers in Poland that have this vulnerability.