Attack hijacks DNS settings on home routers in Brazil

Attackers use cross-site request forgery techniques to change router settings when users visit malicious websites

An ongoing attack in Brazil tricks users into visiting malicious websites that attempt to silently change the Domain Name System settings of their home routers.

If the attack is successful, the routers are reconfigured to use rogue DNS servers that redirect victims to phishing pages when they open banking sites, said Fabio Assolini, a security researcher at Kaspersky Lab, in a blog post Tuesday.

The attack starts with spam emails that tell recipients they're being cheated and asks them to click on a link. The link leads to an adult content website that in the background forces browsers to load specifically crafted URLs.

Those URLs point to local network IP addresses commonly assigned to home routers and contain default router credentials like admin:admin, root:root and admin:gvt12345. They are crafted to change DNS servers via a script called dsncfg.cgi that's part of the Web-based administration interface of DSL modems and routers provided by some Brazilian ISPs (Internet service providers) to customers.

The gvt12345 password suggests that routers used by customers of a Brazilian ISP called GVT are among those targeted in the attack.

"We found Brazilian bad guys actively using 5 domains and 9 DNS servers, all of them hosting phishing pages for the biggest Brazilian banks," Assolini said.

Web-based attacks that force browsers to execute unauthorized actions on behalf of the user on third-party sites are known as cross-site request forgery (CSRF). The technique works against many routers even if their owner has blocked access to the router Web interface from the Internet and in some cases, even if they changed the router's default password.

In October 2013, a security researcher named Jakob Lell reported a CSRF attack that was targeting some TP-Link router models. The URL used in that attack contained the admin:admin credentials and had been crafted to change their DNS settings.

"Even if a username/password combination is given in the URL, the browser will ignore the credentials from the URL and still try the saved credentials or no authentication first," Lell said in a blog post at the time. "Only if this results in an HTTP 401 (Unauthorized) status code, the browser resends the request with the credentials from the URL."

This means that a CSRF attack also works when the default router password has been changed but the user saved the new password inside the browser or hasn't logged out from the router interface.

Researchers from security firm Independent Security Evaluators analyzed 10 popular SOHO wireless router models in 2013 and found that most of them were vulnerable to Web-based attacks like cross-site scripting, CSRF, directory traversal and command injection.

"The majority of routers we evaluated contained several Cross-Site Request Forgery vulnerabilities," the researchers said in their report at the time. "We were able to leverage these vulnerabilities to add administrative user accounts, change passwords, or enable various management services. "

Security researchers have warned about the risks of CSRF flaws on routers for a long time, but attackers have started to exploit such flaws in large-scale attacks only in the past couple of years.

In March, Internet security research organization Team Cymru reported that over 300,000 home routers had been compromised and had their DNS settings changed in a global attack campaign. One of the techniques used was likely CSRF, the researchers said at the time.

In 2011 and 2012 attackers exploited a vulnerability to change the DNS settings of more than 4.5 million DSL modems in Brazil, Assolini said. However, this Web-based CSRF technique is new to Brazilian attackers "and we believe it will spread quickly amongst them as the number of victims increases," he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags fraudintrusionkaspersky labExploits / vulnerabilitiesIndependent Security EvaluatorsTeam Cymru

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?