The Latest in IT Security

Brazilian bank targeted by phishing site and DNS poisoning


Santander, a well-known banking site, has often been the target of phishers. In fact, Santander UK often makes the top-10 list of most popular targets according to Phishtank. Last week, we found a phishing site for the Brazilian branch,, that was receiving traffic from a DNS cache poisoning attack.

The phishing site hosted on looks identical to the original site. The attackers have replicated the entire login process in order to gather the login, password, and security code of the bank users.

Santander Brazil phishing site

Original Santander Brazil home page

The DNS poisoning made this attack much more effective. The hijacked DNS servers were resolving to (phishing site) instead of or (legitimate sites). In such a situation, phsishers do not need to blast e-mails to random Brazilian e-mail accounts. They just need to wait for the Santander customers to login into their bank account, when accessing the site via the poisoned DNS servers.

DNS poisoning also renders virtually all browser phishing defenses useless. Google Safe Browsing (Firefox, Safari, Chrome, etc.) and Phishtank (Opera, etc.) both rely on a blacklist, which is a list of URLs or domains to block. It can be very hard for the user to realize that this is a phishing site because it looks exactly like the real site, and the URL shows the correct domain.

In this attack, there were only 2 oddities that an advanced users could spot. First, the phishing site did not support HTTPS traffic. Advanced users should know that credentials should be sent over secure HTTPS sessions only and banking sites always redirect to HTTPS enabled pages when the user must log in. The second clue is in the source of the page: the last line, an HTML comment, shows that the page was copied from the original site:

Last few liens of the HTML code of the phishing site

A week later, the phishing site is still up. it is not blocked by Phishtank or Google Safe Browsing. However, the hijacked DNS servers have been cleaned up, making this site a lot less dangerous.

— Julien

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments