An interesting tidbit has emerged from the eCrime Trends Report for Q4-2010 from online security firm Internet Identity (aka IID). Over the Christmas holidays, an online payment processing company named ChronoPay (a major player in the Russian and European online markets) fell prey to a domain name hijack and DNS reconfiguration. That is, the actual IP addresses to which the company's primary domain name (ChronoPay.com) resolved was replaced in DNS servers around the world with a malicious server of the attacker's choosing.
[caption id="attachment_368" align="aligncenter" width="504" caption="A snippet from IID's Q4'2010 eCrime Report title page"][/caption]
What makes this attack especially worrisome is stated directly in the IID report cited in the preceding paragraph:
It took hours before Chronopay detected and diagnosed its sudden cessation of business traffic (because their domain essentially became unreachable) and some while longer before they were able to restore service to normal. During the period when attackers were intercepting incoming payment traffic, somewhere in the neighborhood of 800 credit cards were used to "make payments" on the attacker's site, resulting in their complete compromise. In addition to end-users or consumers who suffered losses because of the Website substitution, merchants and vendors who use ChronoPay, and who logged into their accounts during the hijack period, also exposed their account and customer information to the attackers as well. The full extent of any resulting back-end losses to ChronoPay partners and vendors is not yet known, and may never be completely documented.
Here's some additional chilling analysis and what-ifs from IID at the conclusion of this section of their eCrime report:
This is on the same order of compromising a bank, rather than compromising one or more individual accounts at such an institution. This raises phishing attacks to an entirely new level, and suggests that payment processors and financial institutions must review their DNS security services. It also makes it painfully obvious that ongoing monitoring of DNS addresses needs to be part and parcel of the normal DNS security regime. At a minimum, the kinds of server monitoring services that companies like IP Patrol provide with their DNS monitoring capability must be incorporated into normal online banking and payment processing security and controls.
Stu Sjouwerman
KnowBe4
[caption id="attachment_368" align="aligncenter" width="504" caption="A snippet from IID's Q4'2010 eCrime Report title page"][/caption]
What makes this attack especially worrisome is stated directly in the IID report cited in the preceding paragraph:
...unlike a typical phishing event, the chronopay.com attack involved the relocation of the domain to servers outside the control of ChronoPay, meaning no tricks were needed to get people to come to the phishing site because they went there directly from stored bookmarks or direct navigationa total violation of trust for users.
It took hours before Chronopay detected and diagnosed its sudden cessation of business traffic (because their domain essentially became unreachable) and some while longer before they were able to restore service to normal. During the period when attackers were intercepting incoming payment traffic, somewhere in the neighborhood of 800 credit cards were used to "make payments" on the attacker's site, resulting in their complete compromise. In addition to end-users or consumers who suffered losses because of the Website substitution, merchants and vendors who use ChronoPay, and who logged into their accounts during the hijack period, also exposed their account and customer information to the attackers as well. The full extent of any resulting back-end losses to ChronoPay partners and vendors is not yet known, and may never be completely documented.
Here's some additional chilling analysis and what-ifs from IID at the conclusion of this section of their eCrime report:
With some skill, the criminals could have leveraged their newfound control of chronopay.com email and cause even further damage. At minimum, ChronoPay did not have full control of its email system during this attack. At worst, every single e-mail sent to chronopay.com during the outage was read by the hijackers, including emergency response e-mails and confidential business correspondence. Given that many online assets and access credential verification systems are tied to an e-mail account, the hijackers could have easily compromised ChronoPays accounts with other services.
The potential PCI compliance violations and subsequent penalties under such a scenario could also be catastrophic to Chronopay, its small business customers, and large corporations who rely on its platform.
This is on the same order of compromising a bank, rather than compromising one or more individual accounts at such an institution. This raises phishing attacks to an entirely new level, and suggests that payment processors and financial institutions must review their DNS security services. It also makes it painfully obvious that ongoing monitoring of DNS addresses needs to be part and parcel of the normal DNS security regime. At a minimum, the kinds of server monitoring services that companies like IP Patrol provide with their DNS monitoring capability must be incorporated into normal online banking and payment processing security and controls.
Stu Sjouwerman
KnowBe4