St. Louis Fed Confirms DNS HijackingEconomic Researchers Routed To Attacker-Controlled Sites
Attackers in April launched a phishing campaign against users of research services offered by the Federal Reserve Bank of St. Louis. The attack was aided by hackers hijacking the organization's domain name server settings to redirect visitors to lookalike sites that were under attackers' control.
See Also: Role of Deception in the 'New Normal'
The St. Louis Fed revealed the breach on May 18, and said it has emailed all active users of its economic data and analysis tools, informing them that their passwords have now been invalidated and will have to be reset when they next log in.
"The Federal Reserve Bank of St. Louis has been made aware that on April 24 computer hackers manipulated routing settings at a domain name service (DNS) vendor used by the St. Louis Fed so that they could automatically redirect some of the bank's web traffic that day to rogue webpages they created to simulate the look of the St. Louis Fed's research.stlouisfed.org website," the St. Louis Fed said in a statement.
"The St. Louis Fed's website itself was not compromised," a spokeswoman tells Information Security Media Group, adding that the affected research website "is not used for communications with banks."
The Federal Reserve System, or the Fed, is the central bank of the United States. It is composed of a central, independent government agency - the Board of Governors - based in Washington, as well as 12 regional Federal Reserve Banks that are located in major U.S. cities.
The St. Louis Fed's statement did not address who may have launched the attack, whether users have reported any related data loss or how the organization can be sure that the attack was confined to April 24, since DNS setting changes - including fixes - can take 24 hours or more to propagate. Officials did not immediately respond to related requests for comment.
The St. Louis Fed says it emailed all active users on May 18 to warn them that attackers may have successfully stolen their access credentials or infected their systems with malicious code, if they used the St. Louis Fed's research website on April 24. "As is common with these kinds of DNS attacks, users who were redirected to one of these phony websites may have been unknowingly exposed to vulnerabilities that the hackers may have put there, such as phishing, malware and access to usernames and passwords," it says.
The phishing attack targeted users of multiple databases of new and historical economic data - such as banking details, consumer price indexes, employment and population and exchange rates - that are maintained by the St. Louis Fed's research division and accessible via its website. The databases include the widely used Federal Reserve Economic Data, Federal Reserve Archival System for Economic Research and Archival Federal Reserve Economic Data. The attack also targeted users of the St. Louis Fed's Geographical Economic data, which can be used to create geographical maps of the Federal Reserve economic data.
Some information security experts have noted that the phishing campaign might be a watering-hole attack, in which attackers hack into a site to better reach their intended victims. And users of Federal Reserve data would be a "juicy" target, says Dave Jevans, CEO of threat-intelligence firm Marble Security and chairman of the Anti-Phishing Working Group. "Great way to phish the passwords and email addresses of bankers and currency traders."
But without more evidence - such as whether the phishing websites were stealing credentials, serving malware, or both - it remains tough to draw definitive conclusions, says Erik de Jong, a security researcher at threat-intelligence firm Fox-IT. "Assessing the potential pool of victims might give you an idea about the motive, although that is, of course, not always clear-cut," he says.
News of the DNS breach was first reported by security blogger Brian Krebs.
The St. Louis Fed's alert also advised users to never reuse their passwords across sites: "In the event that your user name and password are the same or similar as those you use for other websites, we highly recommend that you follow best practices and use a strong, unique and different password for each of your user accounts on the Internet."
Security experts have long warned that attackers will often take username and password combinations from websites they have exploited and attempt to use them to log into victims' accounts on any other website where they have reused the same combination of credentials (see Starbucks: Coffee and a Fresh Password).
Hacking into a DNS provider and altering websites' DNS settings - to redirect users to an attacker-controlled site - is not a new attack technique (see How DNS is Exploited). "These are indeed fairly common occurrences. For one, hijacking DNS is a 'good' way of reaching a sizable pool of victims to steal credentials from, to infect, or both," Fox-IT's de Jong says. In January, for example, the hacking group Lizard Squad used the technique to redirect Malaysia Airlines website visitors to a site that contained a fake "404 - Plane Not Found" error message.
The Syrian Electronic Army - a group of hackers who back the regime of Syrian President Bashar al-Assad - has also used DNS takeover techniques numerous times to forcibly redirect those who attempted to access a website. In 2013, for example, the group altered the DNS settings for the websites of Twitter, which quickly regained control of the settings, as well as for The New York Times, which did not, and remained unavailable for many website visitors for more than 48 hours after the initial DNS hijacking.
To help thwart these types of DNS takeover attacks, earlier this year Europe's cybersecurity agency, ENISA, urged DNS registrars to better lock down account access, prohibit changes to be made to sites' DNS settings by anyone who was not on a list of authorized users and also implement Domain Name System Security Extensions.
"DNSSec is meant to mitigate attacks such as this one, but unfortunately has only limited uptake and is most definitely not 'easy,'" de Jong says.