How hackers pulled off the Brazilian online bank job

Last Updated by Gray Williams on October 23, 2018

Brazil has seen its fair share of scandals in recent years. The Mensalao scandal resulted in dozens of construction companies bribing politicians in conjunction with the state’s petroleum company Petrobras in 2015.

Operation Car Wash upped the ante, exposing a money-laundering scheme topping US$11.3 billion and resulting in the arrests of multiple politicians including former President Fernando Collor de Mello.

But even those outrages pale in comparison to the staggering assault on the Brazilian online banking scandal that occurred in October 2016.

When a debit card or credit card is stolen, thieves have a limited amount of time to make purchase on the card or plunder a victim’s bank account before they are discovered and the card or account is suspended. But a group of hackers who hit the unnamed Brazilian bank in 2016-2017 did so with unprecedented strategy, manipulation, and success; a grim reminder of how dangerous anything online can become in the wrong hands.

DNS Disaster

In October 2016, a group of hackers did the unthinkable: Hijacked the entire Internet footprint of a Brazilian bank. The attack occurred on a Saturday afternoon, a fairly non-busy time of the week for the site. The hackers were able to change the Domain Name System (DNS) registration of the bank’s 36 online properties, including its desktop and mobile banking sites.

According to cybersecurity expert firm Kapersky, customers logging on were taken to phishing sites instead, which looked similar to the bank’s real site, right down to the HTTPS designation in the web address.

The hackers were able to emulate the SSL certificates onto their own sites thanks to a non-profit certificate authority known as Let’s Encrypt, which is set up to encourage more businesses to use the protocol.

The hackers were able to break in and change the bank’s sites to servers they had set up on Google Cloud. When account holders typed their usernames and passwords into the faux websites, they were giving the hackers all of their security information. Experts believe hackers kept the scam going for 5-6 hours, infecting users who visited their sites with malware which ultimately led to them replicating the scam in 8-9 banks worldwide. The malware infected email credentials and contact lists in Exchange and Outlook., as well as disabling anti-virus software.

Bank customers could have avoided the malware and hack jobs by using a virtual private network (VPN). Employing this security system is advised when entering information of a personal or financial nature as it encrypts your data and sends it to a remote server, where it is decrypted and sent to the Internet from a new IP address. Although personal information would have still been compromised at the phishing site, VPN users would have had the problem minimized. Several commercial VPNs make security their top priority, such as Private VPN, which features 2048-bit encryption, a strict no-logs policy, and an automatic kill switch. If you’re looking for a starter-set version, try Trust.Zone, which is intuitive and has a simple interface while still providing peace of mind. SaferVPN lives up to its name with encryption support for PPTP, L2TP/IPSec, IKEV2, and OpenVPN.

Avoiding These Mistakes

How can you keep your business website from falling victim to the same thing that happened to the Brazilian bank? Here are three must-have tips to keep your company safe when hackers try to to take control of the systems.

  1. Identify and manage external accounts that can threaten your system integrity.

    Theoretically, an online bank should have world-class security because it handles the two most important things in a customer’s life: their personal information and their money. But a steel chain is only as strong as its weakest link, and the bank was unable to account for lax security at the DNS registrar. In 2013, American retailer Target has thousands of customers’ credit-card information stolen in the heavy shopping period before Christmas. The culprit? A third-party vendor responsible for supplying the stores with refrigeration units for groceries. A hacker had stolen that party’s credentials and found that the vendor’s invoices were stored on the same server as the chain’s financial records.

  2. Change your passwords religiously.

    This goes for both personal and business accounts. If your organization has not done so, strongly consider changing your security to two-factor authentication, which can downsize the possibility of hackers breaking in by a wide margin.

  3. Get certificates for organization validation (OV) and extended validation (EV) if possible.

    The Let’s Encrypt website that handed out the hackers’ domain validation (DV) certificate was part of the problem, as was the DNS registrar which took it as face value without asking for any other verification. These extra levels of security could have allowed the bank to contact the DNS registrar immediately with proof that it had not authorized the DNS changes.

Gray Williams
Gray Williams is an experienced data and communications engineer and cross-platform copy and content writer and editor with a keen interest in cybersecurity. He has been working with and researching, VPNs and other online privacy tools for many years.