BGP / DNS Hijacks Target Payment Systems

In the past month, we have observed additional BGP hijacks of authoritative DNS servers with a technique similar to what was used in April. This time the targets included US payment processing companies. In April 2018, we detailed a brazen BGP hijack of Amazon’s authoritative DNS service in order to redirect users of a crypto currency wallet service to a fraudulent website ready to steal their money.

As in the Amazon case, these more recent BGP hijacks enabled imposter DNS servers to return forged DNS responses, misdirecting unsuspecting users to malicious sites. By using long TTL values in the forged responses, recursive DNS servers held these bogus DNS entries in their caches long after the BGP hijack had disappeared — maximizing the duration of the attack. At 23:37:18 UTC on 6 July 2018, Digital Wireless Indonesia (AS38146) announced the following prefixes for about thirty minutes.

These prefixes didn’t propagate very far and were only seen by a handful of our peers. Three were more-specific announcements (64.243.142.0/24, 69.46.100.0/24, 216.220.36.0/24) of existing routes. Then at 22:17:37 UTC on 10 July 2018, Malaysian operator Extreme Broadband (AS38182) announced the exact same five prefixes listed above.

For about 30 minutes, these hijack prefixes weren’t propagated very far. Then they were announced again at 23:37:47 UTC for about 15 minutes but to a larger set of peers — 48 peers instead of 3 peers in the previous hour. It appears a change of BGP communities from 24218:1120 to 24218:1 increased the route propagation.

Source: oracle.com