Us payment processors report that they are being targeted by hackers using BGP hijacking attacks. This is a complex method used by experienced groups as it requires both resources and knowledge to execute one directly.
BGP Hijacking Attacks Used Against US Payment Processors
One of the most heavily attacked companies over the last few years are the payment processors, particularly the ones located in the USA. The reason for this is that they operate the payment card transactions and work together both with the banks and the online merchants. Their security should be impenetrable however this has not warded off the potential intruders. Over the years attacks using the BGP hijacking method have increased.
BGP stands for Border Gateway Protocol and is the standard language that devices use when exchanging information about routing and reachability over large networks on the Internet. Such attacks require the use of malware DNS servers that return forged responses when accessing payment gateways, banks and online services. A dangerous feature of these responses is that they maximize the duration of attack by employing a cache with longer expiration. This means that even after a successful attack has been stopped the damage will continue for quite some time.
Successful attacks rely on the creation and setup of false servers that send the requests. The most common way is to set up the required machines based on infected hosts — botnets of hijacked computers due to virus attacks. The hackers announce false information that practically confuses the network and disrupts the normal flow of information. The network traffic is forwarded to a hacker-controlled server which can lead to very successful phishing attacks.
The first major attack was reported by Oracle on July 6, an Indonesian ISP announced prefixes associated with a company that is owned by an US-based payment processing company. The security investigation revealed that this is was a case of BGP hijacking. A few days later the attacks continued. The first attacks did not seem to have a large impact however the last one took down the domains of some companies.
There is some evidence that the ongoing campaigns are related to a large-scale attack bck in April. In it hackers attempted to conduct a hijack overtake of the DNS servers used by Amazon with the end goal of redirecting the users to a fake website. It’s purpose was to use to social engineering tricks in order to steal their money.