[tyingq]

Oh, that's bad. Shows how critical DNS control is. They had control for some time because they used it to generate Let's Encrypt certs well ahead of the switch.

Nice pitch for Google's cloud service in there though:

"the attackers were able to change the registration simultaneously for all of the bank’s domains, redirecting them to servers the attackers had set up on Google’s Cloud Platform"

They knew switching all the bank's DNS records would bring an unpredictable load, so they went cloud for their phishing sites. Heh.

[pfg]

I don't know where they got the information about the certificate being issued 5 months prior to the attack, but that's not what Certificate Transparency shows. Here's the certificate that was issued on the day of the attack[1]. Let's Encrypt hasn't issued any certificates prior to that[2].

Another fun fact: It took them about a month to revoke the certificate in question. They didn't even bother revoking a second certificate[3] (valid for a subdomain). Heh, at least this will make a good example when discussion the pros of short-lived certificates.

[1]: https://crt.sh/?id=47675898

[2]: https://crt.sh/?Identity=%25.banrisul.com.br&iCAID=16418

[3]: https://crt.sh/?id=47630635