Major brazilian cellular telecom provider Vivo under attack
Popular brazilian websites under attack. Again.
This time the target was Vivo (http://www.vivo.com.br) and the attack was reported by Miguel Di Ciurcio Filho, a security researcher from Institute of Computing, Campinas State University – Unicamp (site, personal).
- \WINDOWS\system32\drivers\etc\hosts changed to redirect traffic to popular brazilian banks:
220.127.116.11 santander.com.br 18.104.22.168 www.santander.com.br 22.214.171.124 itau.com.br 126.96.36.199 www.itau.com.br 188.8.131.52 www.itau.com 184.108.40.206 itau.com 220.127.116.11 itaupersonnalite.com.br 18.104.22.168 www.itaupersonnalite.com.br 22.214.171.124 www.bradesco.com.br 126.96.36.199 bradesco.com.br 188.8.131.52 www.bradesco.com 184.108.40.206 bradesco.com 220.127.116.11 www.bradescoempresa.com.br 18.104.22.168 bradescoempresa.com.br 22.214.171.124 www.bradescoprime.com.br 126.96.36.199 bradescoprime.com.br 188.8.131.52 bradescocartoes.com.br 184.108.40.206 www.bradescocartoes.com.br 220.127.116.11 www.nossacaixa.com.br 18.104.22.168 nossacaixa.com.br
- Java applet (.JAR) disguised as JPEG file (MD5: 3d4756a74d76d7b3004604c6b30e23f5)
- Access to server files (/etc/hosts, /etc/passwd) via specially crafted URLs. Part of the problem.
- Virustotal analysis: logo_top.jpg, laa.class
Simple but effective attack. According to a script in another vulnerable website used in this attack thousands of users were infected.