Brazilian customers of Santander, one of the largest banks in the world, have been targeted by a very clever phishing scam that did not involve clicking on malicious links in spam emails.
In fact, the phishers have managed to hijack the DNS servers that resolve the santander.com.br website and have substituted it with a (visually) perfect copy in order to harvest login credentials and security codes of the bank’s customers.
“DNS poisoning also renders virtually all browser phishing defenses useless. Google Safe Browsing (Firefox, Safari, Chrome, etc.) and Phishtank (Opera, etc.) both rely on a blacklist, which is a list of URLs or domains to block,” explain the researchers. “It can be very hard for the user to realize that this is a phishing site because it looks exactly like the real site, and the URL shows the correct domain.”
In this case, the only thing that could have alerted the users to the fact that the page they landed on was a bogus one is if they glanced at the URL in the address bar and noticed that instead of HTTPS, it said HTTP.
A less obvious clue was present in the page’s source code, where a HTML comment indicated that the page was copied from the original site, but I doubt that many users would think of checking the source code or, indeed, even know they could do such a thing.
According to the researchers, the phishing page still exists, but the hijacked DNS servers have been cleaned up. The site now presents less of a danger, but users can still be lured into visiting it through a clever spam campaign.