Menu
Attack hijacks DNS settings on home routers in Brazil

Attack hijacks DNS settings on home routers in Brazil

Attackers use cross-site request forgery techniques to change router settings when users visit malicious websites

An ongoing attack in Brazil tricks users into visiting malicious websites that attempt to silently change the Domain Name System settings of their home routers.

If the attack is successful, the routers are reconfigured to use rogue DNS servers that redirect victims to phishing pages when they open banking sites, said Fabio Assolini, a security researcher at Kaspersky Lab, in a blog post Tuesday.

The attack starts with spam emails that tell recipients they're being cheated and asks them to click on a link. The link leads to an adult content website that in the background forces browsers to load specifically crafted URLs.

Those URLs point to local network IP addresses commonly assigned to home routers and contain default router credentials like admin:admin, root:root and admin:gvt12345. They are crafted to change DNS servers via a script called dsncfg.cgi that's part of the Web-based administration interface of DSL modems and routers provided by some Brazilian ISPs (Internet service providers) to customers.

The gvt12345 password suggests that routers used by customers of a Brazilian ISP called GVT are among those targeted in the attack.

"We found Brazilian bad guys actively using 5 domains and 9 DNS servers, all of them hosting phishing pages for the biggest Brazilian banks," Assolini said.

Web-based attacks that force browsers to execute unauthorized actions on behalf of the user on third-party sites are known as cross-site request forgery (CSRF). The technique works against many routers even if their owner has blocked access to the router Web interface from the Internet and in some cases, even if they changed the router's default password.

In October 2013, a security researcher named Jakob Lell reported a CSRF attack that was targeting some TP-Link router models. The URL used in that attack contained the admin:admin credentials and had been crafted to change their DNS settings.

"Even if a username/password combination is given in the URL, the browser will ignore the credentials from the URL and still try the saved credentials or no authentication first," Lell said in a blog post at the time. "Only if this results in an HTTP 401 (Unauthorized) status code, the browser resends the request with the credentials from the URL."

This means that a CSRF attack also works when the default router password has been changed but the user saved the new password inside the browser or hasn't logged out from the router interface.

Researchers from security firm Independent Security Evaluators analyzed 10 popular SOHO wireless router models in 2013 and found that most of them were vulnerable to Web-based attacks like cross-site scripting, CSRF, directory traversal and command injection.

"The majority of routers we evaluated contained several Cross-Site Request Forgery vulnerabilities," the researchers said in their report at the time. "We were able to leverage these vulnerabilities to add administrative user accounts, change passwords, or enable various management services. "

Security researchers have warned about the risks of CSRF flaws on routers for a long time, but attackers have started to exploit such flaws in large-scale attacks only in the past couple of years.

In March, Internet security research organization Team Cymru reported that over 300,000 home routers had been compromised and had their DNS settings changed in a global attack campaign. One of the techniques used was likely CSRF, the researchers said at the time.

In 2011 and 2012 attackers exploited a vulnerability to change the DNS settings of more than 4.5 million DSL modems in Brazil, Assolini said. However, this Web-based CSRF technique is new to Brazilian attackers "and we believe it will spread quickly amongst them as the number of victims increases," he said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Team CymruintrusionsecurityExploits / vulnerabilitiesIndependent Security Evaluatorskaspersky labfraud

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments