Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Phishing

Attackers Use Phishing Emails, Exploits to Hijack Routers

Cybercriminals have been hijacking the Internet connections of users in Brazil by modifying Domain Name System (DNS) settings in their routers, researchers at Proofpoint reported on Thursday.

Cybercriminals have been hijacking the Internet connections of users in Brazil by modifying Domain Name System (DNS) settings in their routers, researchers at Proofpoint reported on Thursday.

These types of operations, known as pharming attacks, are designed to lure victims to fake websites, which usually mimic the ones of banks, in an effort to steal credentials and other sensitive information.

Pharming attacks can be highly efficient because in many cases they are difficult to spot. By modifying the router’s DNS settings, the attacker ensures that users are taken to a bogus site when they type in the domain name of the legitimate website in the Web browser’s address bar. Usually, the DNS is hijacked in network-based attacks, but a recent campaign shows that phishing emails can be just as effective.

Proofpoint started monitoring the operation back in mid-December. According to researchers, the attack began with a spam email apparently coming from one of Brazil’s largest telecommunication companies. Over a four-week period, the security firm observed a small spam run in which less than 100 emails had been sent out mainly to Brazilian users and organizations.

The phishing emails contained links that pointed to a webpage hosting malicious iframes. These iframes were designed to exploit cross-site request forgery (CSRF) vulnerabilities in TP-Link and UTStarcom home routers, specifically models distributed by the telecoms firm whose name was abused. The malicious code brute forced the device’s administrator login page by trying out common IP addresses and known default passwords.

Once the administration page had been hacked, the IP for the router’s primary DNS server was changed to the IP of a malicious DNS. These types of attacks against Brazilian users were documented in September 2014 by researchers at Kaspersky. However, it appears the cybercriminals have stepped up their game.

Previously, the attackers modified both the primary and secondary DNS records. In the more recent attacks, they only changed the primary DNS to their malicious server, and they set the secondary DNS to 8.8.8.8, which is Google’s public DNS. By doing so, DNS requests from compromised devices resolve properly in case the malicious server becomes unavailable, and it’s less likely for victims to become suspicious, Proofpoint researcher noted.

These types of pharming attacks can be efficient because the malicious actors don’t have to worry about taking over a public DNS. When victims try to access one of the websites targeted by the cybercrooks, the request is processed by the rogue DNS server and they are taken to a malicious page controlled by the attacker.

Advertisement. Scroll to continue reading.

“[Man-in-the-middle attacks] could be used to intercept and tamper with email communications, web sites, logins and passwords and other confidential or sensitive information, software downloads, hijack search results, redirect to a TDS and malware, and other malicious actions,” Proofpoint explained in a blog post.

Home routers are often targeted by malicious hackers because many of the devices are plagued by serious vulnerabilities. A good example is the recently discovered Misfortune Cookie bug which exposes millions of SOHO routers.

In March 2014, Team Cymru reported spotting a campaign in which a threat group hijacked the DNS settings of roughly 300,000 small office and home (SOHO) routers by exploiting various vulnerabilities.

Another recently highlighted problem is that hundreds of thousands of devices can have the same SSH keys. Using Shodan, the search engine for Internet-connected devices, researchers discovered nearly 250,000 devices with identical keys deployed by Spain-based telecoms firm Telefonica de Espana. A different duplicate SSH fingerprint has been found on 200,000 devices, and another one on 150,000 devices.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Phishing

The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Cybercrime

A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...