Major brazilian cellular telecom provider Vivo under attack
Popular brazilian websites under attack. Again.
This time the target was Vivo (http://www.vivo.com.br) and the attack was reported by Miguel Di Ciurcio Filho, a security researcher from Institute of Computing, Campinas State University – Unicamp (site, personal).
- \WINDOWS\system32\drivers\etc\hosts changed to redirect traffic to popular brazilian banks:
184.108.40.206 santander.com.br 220.127.116.11 www.santander.com.br 18.104.22.168 itau.com.br 22.214.171.124 www.itau.com.br 126.96.36.199 www.itau.com 188.8.131.52 itau.com 184.108.40.206 itaupersonnalite.com.br 220.127.116.11 www.itaupersonnalite.com.br 18.104.22.168 www.bradesco.com.br 22.214.171.124 bradesco.com.br 126.96.36.199 www.bradesco.com 188.8.131.52 bradesco.com 184.108.40.206 www.bradescoempresa.com.br 220.127.116.11 bradescoempresa.com.br 18.104.22.168 www.bradescoprime.com.br 22.214.171.124 bradescoprime.com.br 126.96.36.199 bradescocartoes.com.br 188.8.131.52 www.bradescocartoes.com.br 184.108.40.206 www.nossacaixa.com.br 220.127.116.11 nossacaixa.com.br
- Java applet (.JAR) disguised as JPEG file (MD5: 3d4756a74d76d7b3004604c6b30e23f5)
- Access to server files (/etc/hosts, /etc/passwd) via specially crafted URLs. Part of the problem.
- Virustotal analysis: logo_top.jpg, laa.class
Simple but effective attack. According to a script in another vulnerable website used in this attack thousands of users were infected.