According to investigative reporter Brian Krebs, the Federal Reserve Bank of St. Louis has acknowledged that its domain name servers were hijacked last month by attackers who redirected Web searches and queries for domains run by the St. Louis Fed to phishing sites.
The St. Louis Fed's advisory states that "on April 24, 2015, computer hackers manipulated routing settings at a domain name service (DNS) vendor used by the St. Louis Fed so that they could automatically redirect some of the Bank's Web traffic that day to rogue Web pages they created to simulate the look of the St. Louis Fed's research.stlouisfed.org website, including Web pages for FRED, FRASER, GeoFRED and ALFRED."
The advisory notes that "users who were redirected to one of these phony websites may have been unknowingly exposed to vulnerabilities that the hackers may have put there, such as phishing, malware and access to user names and passwords."
As a result, the St. Louis Fed says, the attackers may have accessed the user name and password of anyone who tried to log into research.stlouisfed.org on April 24, 2015. Passwords have been reset in response.https://o1.qnsr.com/log/p.gif?;n=203;c=204660770;s=9477;x=7936;f=201812281321530;u=j;z=TIMESTAMP;a=20396194;e=i
While a St. Louis Fed spokeswoman told The New York Times that she didn't yet know who was behind the attacks, Krebs reports that the lag between the event and the disclosure indicates that the attack was likely "related to a state-sponsored hacking activity from a foreign adversary."
The New York Times notes that the St. Louis Fed's domain name registrar is Rightside subsidiary eNom. While representatives of eNom and Rightside told the Times that they were aware of a "sophisticated attack," they said they had "no evidence of customers' personal information being accessed."
Proficio CEO Brad Taylor told eSecurity Planet by email that domain hijacking is a huge problem that's getting worse.
"Essentially, attackers are compromising Internet Service Provider domain name servers or Web servers of partners and business associates to re-direct your customers and business-to-business partners to a malicious Web site masquerading as your own, in an attempt to get the unknowing customer to provide private security or financial information on the fake site," Taylor said.
"Another problem is that when you actually do discover a hijacked domain and re-direct attack, the security pros have got to find out where the bad code is re-directing and ask the ISP or business partner to make the change on their network, DNS, or websites," Taylor added. "This is a hard and long single point issue to fix, while the hacker is simply moving on to the next ISP or partner."
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said the St. Louis Fed's inconsistent use of SSL/TLS unfortunately made it a relatively easy target for cyber criminals. "The main research website, research.stlouisfed.org, does not use SSL/TLS and digital certificates by default for visitors, making redirection to a fake site much easier," he said. "Other parts of the St. Louis Fed do use SSL/TLS but use multiple certificate authorities, including GoDaddy. All of this makes it challenging for the Federal Reserve Bank to know what’s trusted, and even more difficult for its users."
Staff at banks and trading firms that use the St. Louis Fed's data are prime targets for cyber criminals, Bocek added. "Reuse of passwords, email accounts, and other data gained by tricking users to share their passwords on fake sites can enable bad guys to expand their attacks with ease," he said. "Without an immune system to know what sites and which digital certificates are really trusted, attacks like these on the Federal Reserve Bank of St. Louis and others will continue."