The attackers tried to redirect the traffic directed to the payment processing company to servers which are controlled by the attackers and tries to steal the data.
The payment processing companies which were targeted by the attackers are Datawire, Vantiv, or Mercury.
The first attack was observed on July 6, 2018, at 23:37:18 UTC targeting Vantiv and Datawire payment processing companies which lasted for a short time. The attackers tried to redirect the following prefixes:
> 18.104.22.168/24 Savvis
> 22.214.171.124/24 Vantiv, LLC
> 126.96.36.199/24 Vantiv, LLC
> 188.8.131.52/24 Q9 Networks Inc.
> 184.108.40.206/24 Q9 Networks Inc.
Then at 22:17:37 UTC on 10 July 2018 a second attack was observed attempting to reroute the same prefixes which lasted for 30 mins
The same day another attack at was conducted at 23:37:47 UTC for about 15 minutes but to a larger set of peers -48 peers instead of 3 peers in the previous hour.
Researchers observed traffic being routed out of Luhansk in eastern Ukraine to an IP address space registered in Dutch Caribbean island of Curaçao.
The attackers conducted similar attacks through the July in which one attack on Mercury Payment Systems and another attack on Vantiv and Datawire payment companies which lasted for 3 hours.
Earlier in April 2018, a similar attack was conducted against Amazon’s authoritative DNS service in order to redirect users of MyEtherWallet to a fake website and steal their money.
The fake website was located in Germany and is also routed out of Luhansk in eastern Ukraine. These similarities indicate both BJP hijacking attacks may be related.
“If previous hijacks were shots across the bow, these incidents show the Internet infrastructure is now taking direct hits. Unfortunately, there is no reason not to expect to see more of these types of attacks against the Internet.” said in the blog post published by Oracle.