Oh, that's bad. Shows how critical DNS control is. They had control for some time because they used it to generate Let's Encrypt certs well ahead of the switch.<p>Nice pitch for Google's cloud service in there though:<p><i>"the attackers were able to change the registration simultaneously for all of the bank’s domains, redirecting them to servers the attackers had set up on Google’s Cloud Platform"</i><p>They knew switching all the bank's DNS records would bring an unpredictable load, so they went cloud for their phishing sites. Heh.
Based on their description of the bank, it appears to have been Banrisul: <a href="https://en.wikipedia.org/wiki/Banrisul" rel="nofollow">https://en.wikipedia.org/wiki/Banrisul</a><p>It checks all these marks:<p><i>"the firm says it’s a major Brazilian financial company with hundreds of branches, operations in the US and the Cayman Islands, 5 million customers, and more than $27 billion in assets"</i>
Question: can bank defends themselves when the DNS attacked is client-side?<p>I am from Brazil, and many, MANY, MAAAANY times I saw my bank webpage be slightly off, and I noticed it was fake, every single time after tracking down the problem was some DNS interception, for example once was a virus on my PC, another time was a virus on my router, another time someone used a bug on my modem to change its DNS configuration without knowing the password, another time the local ISP got hacked and their DNS servers polluted with fake IPs for all major banks.<p>So, can the bank somehow defend itself from that? (not that they care... from what I've seen so far banks just tell the costumer that he lost the money due to his own fault...)
This is what Public Key Pinning is designed to mitigate: you send hashes of your certificate chain with responses, and the browser will disallow subsequent requests for the same domain if the hashes don't match.<p>Banks should probably be using this. Though none of my 3 banks do, or even use HSTS.<p><a href="https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning" rel="nofollow">https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning</a><p><a href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" rel="nofollow">https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security</a>
Could certificate pinning have mitigated the damage? Although service would have been denied until the DNS was back under control, that's better than leaking credentials and cards and security questions and account balances.
Instead of the cert key pinning as it's easy to obtain an SSL cert (with LE) coudn't we imagine that as banks do own EV certificates that the browser remembers them.<p>In case the browser sees a new non-EV certificate on a site that was previously EV-certed then it throws an error/warning ?