Attacks recently observed in Poland involved cybercriminals hacking into home routers and changing their DNS settings so they can intercept user connections to online banking sites.
Researchers from the Polish Computer Emergency Response Team (CERT Polska) believe attackers will likely target users from other countries as well in the future using similar techniques.
Unless intentionally configured otherwise, devices connected to a local network will typically use the DNS server provided by the network’s router to resolve domain names to IP (Internet Protocol) addresses. If attackers compromise the router and configure it to use a DNS server under their control, they can respond with rogue IP addresses to DNS queries for the domain names they wish to target.
In the recent attacks in Poland, the hackers used a DNS server that responded with rogue IP addresses for the domain names of five Polish banks. Those IP addresses corresponded to a server that acted as a proxy, providing attackers with a man-in-the-middle position to intercept, inspect and modify traffic between users and the online banking websites they wanted to target.
The problem for the hackers was that those sites used HTTPS — HTTP with SSL encryption — making it impossible to impersonate them without a valid digital certificate issued by a certificate authority. Because of this, they decided to use a less sophisticated technique known as SSL stripping.
Many banks use SSL encryption for their online banking systems, but not their entire websites. In most cases, users first connect to the bank’s main website over plain HTTP and then click on a button or link to access the log-in page for the secure part of the site where SSL is enabled.
It is at this point that attackers prevented the secure connection from being established. Their rogue proxy server established an encrypted connection with the online banking site, but kept the connection between the user and itself unencrypted.
When such an attack is in progress, the visual indicators for secure SSL connections are missing from the browser. However, it’s hard for the victims to notice since they clicked on a URL from the bank’s real website so they have no reason to suspect an attack, said Przemyslaw Jaroszewski, the head of incident response at CERT Polska.
The attackers went even further and rewrote the URLs seen by users in their browser’s address bar to have “ssl-.” in front of the domain name.
While none of the individual techniques used in the attacks were new, Jaroszewski said that as far as he knows this is the first time when attackers used them together in a mass attack targeting online banking users.