The Federal Reserve Bank of St. Louis has confirmed that hackers attacked its website in April, causing users to be redirected to a rogue web pages set up by the attackers.
According to the Krebs on Security blog, which first reported the hack earlier this week, the cybercrooks were apparently trying to hijack online communications of banks and other entities that deal with the regional Fed office.
The St. Louis Fed said in a notification to users of its online economic data and analysis tools that it had been made aware of the hack on April 24.
According to the notification, the hackers manipulated routing settings at a domain name service vendor used by the St. Louis Fed so they could automatically redirect some of the bank’s web traffic that day to web pages they created to simulate the look of the bank’s research.stlouisfed.org website.
“As is common with these kinds of DNS attacks, users who were redirected to one of these phony websites may have been unknowingly exposed to vulnerabilities that the hackers may have put there, such as phishing, malware, and access to usernames and passwords,” the St. Louis Fed said.
The bank advised individuals who have active user accounts for the affected tools to make sure that the next time they log into their user accounts, they will be asked to change their passwords.
“In addition, in the event that your username and password are the same or similar as those you use for other websites, we highly recommend that you follow best practices and use a strong, unique, and different password for each of your user accounts on the Internet,” the bank cautioned.
The hack was a “great way to phish the passwords and email addresses of bankers and currency traders,” Dave Jevans, the chairman of the Anti-Phishing Working Group, Tuesday told The New York Times. “Since people reuse passwords, this is a ready font of juicy data to attack all users of the Fed’s data.”
The attackers may also have been able to compromise the security for some or all of the sites that rely on the security of the domain name registrar, the NYT said.