US payment processors targeted in DNS server hijacking attacks, warns Oracle

Attack in July aimed at redirecting payment processors traffic to servers controlled by the hijackers

Oracle has warned of a sophisticated attack in July that targeted three US payment processing companies.

The attack sought to compromise the Border Gateway Protocol (BGP), enabling the attackers to hijack their DNS servers and redirect the traffic.

Border Gateway Protocol (BGP) is a standardised exterior gateway protocol designed to exchange routing and reachability information among autonomous systems on the Internet.

Oracle said in a report on Monday that on three separate dates in July, it saw what appeared to be BGP hijacks that targeted the DNS servers for US payment processors Datawire, Vantiv, and Mercury Payment Systems.

These internet routing attacks were apparently designed to redirect traffic intended for the payment processors to servers controlled by the malicious actors.

The first of the attacks started on 6 July this year, with a short duration attack that attempted to reroute network prefixes or blocks of IP addresses. These attacks were targeted Vantiv and Datawire payment processing companies.

A few months earlier, in April, Oracle also detailed a brazen BGP hijack attempt of Amazon's DNS service in order to redirect users of a cryptocurrency wallet service to a fraudulent website.

"In the past month, we have observed additional BGP hijacks of authoritative DNS servers with a technique similar to what was used in April," the firm said in a report. "This time the targets included US payment processing companies."

As in the Amazon case, these more recent BGP hijacks enabled imposter DNS servers to return forged DNS responses, misdirecting unsuspecting users to malicious sites.

By using long TTL values in the forged responses, recursive DNS servers held these bogus DNS entries in their caches long after the BGP hijack had disappeared, maximising the duration of the attack, Oracle said.

The company warned that we can expect to see more of these types of attacks against high-value targets on the the internet in the near future.

Security specialist and IP development engineer at NTT Communications, Job Snijders, suggested that consolidation of the internet industry might help to foil such attacks.

"If the major DNS service providers (both on the authoritative and recursive side of the house) sign their routes using RPKI, and validate routes received via EBGP, the impact of attacks like these would be reduced because protected paths are formed back and forth," Snijders said.

"Only a small specific group of densely connected organisations needs deploys RPKI based BGP Origin Validation to positively impact the Internet experience for billions of end users," he added.