Attack hijacks DNS settings on home routers in Brazil

Attackers use cross-site request forgery techniques to change router settings when users visit malicious websites

An ongoing attack in Brazil tricks users into visiting malicious websites that attempt to silently change the Domain Name System settings of their home routers.

If the attack is successful, the routers are reconfigured to use rogue DNS servers that redirect victims to phishing pages when they open banking sites, said Fabio Assolini, a security researcher at Kaspersky Lab, in a blog post Tuesday.

The attack starts with spam emails that tell recipients they're being cheated and asks them to click on a link. The link leads to an adult content website that in the background forces browsers to load specifically crafted URLs.

Those URLs point to local network IP addresses commonly assigned to home routers and contain default router credentials like admin:admin, root:root and admin:gvt12345. They are crafted to change DNS servers via a script called dsncfg.cgi that's part of the Web-based administration interface of DSL modems and routers provided by some Brazilian ISPs (Internet service providers) to customers.

The gvt12345 password suggests that routers used by customers of a Brazilian ISP called GVT are among those targeted in the attack.

"We found Brazilian bad guys actively using 5 domains and 9 DNS servers, all of them hosting phishing pages for the biggest Brazilian banks," Assolini said.

Web-based attacks that force browsers to execute unauthorized actions on behalf of the user on third-party sites are known as cross-site request forgery (CSRF). The technique works against many routers even if their owner has blocked access to the router Web interface from the Internet and in some cases, even if they changed the router's default password.

In October 2013, a security researcher named Jakob Lell reported a CSRF attack that was targeting some TP-Link router models. The URL used in that attack contained the admin:admin credentials and had been crafted to change their DNS settings.

"Even if a username/password combination is given in the URL, the browser will ignore the credentials from the URL and still try the saved credentials or no authentication first," Lell said in a blog post at the time. "Only if this results in an HTTP 401 (Unauthorized) status code, the browser resends the request with the credentials from the URL."

This means that a CSRF attack also works when the default router password has been changed but the user saved the new password inside the browser or hasn't logged out from the router interface.

Researchers from security firm Independent Security Evaluators analyzed 10 popular SOHO wireless router models in 2013 and found that most of them were vulnerable to Web-based attacks like cross-site scripting, CSRF, directory traversal and command injection.

"The majority of routers we evaluated contained several Cross-Site Request Forgery vulnerabilities," the researchers said in their report at the time. "We were able to leverage these vulnerabilities to add administrative user accounts, change passwords, or enable various management services. "

Security researchers have warned about the risks of CSRF flaws on routers for a long time, but attackers have started to exploit such flaws in large-scale attacks only in the past couple of years.

In March, Internet security research organization Team Cymru reported that over 300,000 home routers had been compromised and had their DNS settings changed in a global attack campaign. One of the techniques used was likely CSRF, the researchers said at the time.

In 2011 and 2012 attackers exploited a vulnerability to change the DNS settings of more than 4.5 million DSL modems in Brazil, Assolini said. However, this Web-based CSRF technique is new to Brazilian attackers "and we believe it will spread quickly amongst them as the number of victims increases," he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityfraudintrusionkaspersky labExploits / vulnerabilitiesIndependent Security EvaluatorsTeam Cymru

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?