Menu
Attack hijacks DNS settings on home routers in Brazil

Attack hijacks DNS settings on home routers in Brazil

Attackers use cross-site request forgery techniques to change router settings when users visit malicious websites

An ongoing attack in Brazil tricks users into visiting malicious websites that attempt to silently change the Domain Name System settings of their home routers.

If the attack is successful, the routers are reconfigured to use rogue DNS servers that redirect victims to phishing pages when they open banking sites, said Fabio Assolini, a security researcher at Kaspersky Lab, in a blog post Tuesday.

The attack starts with spam emails that tell recipients they're being cheated and asks them to click on a link. The link leads to an adult content website that in the background forces browsers to load specifically crafted URLs.

Those URLs point to local network IP addresses commonly assigned to home routers and contain default router credentials like admin:admin, root:root and admin:gvt12345. They are crafted to change DNS servers via a script called dsncfg.cgi that's part of the Web-based administration interface of DSL modems and routers provided by some Brazilian ISPs (Internet service providers) to customers.

The gvt12345 password suggests that routers used by customers of a Brazilian ISP called GVT are among those targeted in the attack.

"We found Brazilian bad guys actively using 5 domains and 9 DNS servers, all of them hosting phishing pages for the biggest Brazilian banks," Assolini said.

Web-based attacks that force browsers to execute unauthorized actions on behalf of the user on third-party sites are known as cross-site request forgery (CSRF). The technique works against many routers even if their owner has blocked access to the router Web interface from the Internet and in some cases, even if they changed the router's default password.

In October 2013, a security researcher named Jakob Lell reported a CSRF attack that was targeting some TP-Link router models. The URL used in that attack contained the admin:admin credentials and had been crafted to change their DNS settings.

"Even if a username/password combination is given in the URL, the browser will ignore the credentials from the URL and still try the saved credentials or no authentication first," Lell said in a blog post at the time. "Only if this results in an HTTP 401 (Unauthorized) status code, the browser resends the request with the credentials from the URL."

This means that a CSRF attack also works when the default router password has been changed but the user saved the new password inside the browser or hasn't logged out from the router interface.

Researchers from security firm Independent Security Evaluators analyzed 10 popular SOHO wireless router models in 2013 and found that most of them were vulnerable to Web-based attacks like cross-site scripting, CSRF, directory traversal and command injection.

"The majority of routers we evaluated contained several Cross-Site Request Forgery vulnerabilities," the researchers said in their report at the time. "We were able to leverage these vulnerabilities to add administrative user accounts, change passwords, or enable various management services. "

Security researchers have warned about the risks of CSRF flaws on routers for a long time, but attackers have started to exploit such flaws in large-scale attacks only in the past couple of years.

In March, Internet security research organization Team Cymru reported that over 300,000 home routers had been compromised and had their DNS settings changed in a global attack campaign. One of the techniques used was likely CSRF, the researchers said at the time.

In 2011 and 2012 attackers exploited a vulnerability to change the DNS settings of more than 4.5 million DSL modems in Brazil, Assolini said. However, this Web-based CSRF technique is new to Brazilian attackers "and we believe it will spread quickly amongst them as the number of victims increases," he said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Team CymruintrusionsecurityExploits / vulnerabilitiesIndependent Security Evaluatorskaspersky labfraud

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments