Security Experts:

Attackers Use Phishing Emails, Exploits to Hijack Routers

Cybercriminals have been hijacking the Internet connections of users in Brazil by modifying Domain Name System (DNS) settings in their routers, researchers at Proofpoint reported on Thursday.

These types of operations, known as pharming attacks, are designed to lure victims to fake websites, which usually mimic the ones of banks, in an effort to steal credentials and other sensitive information.

Pharming attacks can be highly efficient because in many cases they are difficult to spot. By modifying the router’s DNS settings, the attacker ensures that users are taken to a bogus site when they type in the domain name of the legitimate website in the Web browser’s address bar. Usually, the DNS is hijacked in network-based attacks, but a recent campaign shows that phishing emails can be just as effective.

Proofpoint started monitoring the operation back in mid-December. According to researchers, the attack began with a spam email apparently coming from one of Brazil’s largest telecommunication companies. Over a four-week period, the security firm observed a small spam run in which less than 100 emails had been sent out mainly to Brazilian users and organizations.

The phishing emails contained links that pointed to a webpage hosting malicious iframes. These iframes were designed to exploit cross-site request forgery (CSRF) vulnerabilities in TP-Link and UTStarcom home routers, specifically models distributed by the telecoms firm whose name was abused. The malicious code brute forced the device’s administrator login page by trying out common IP addresses and known default passwords.

Once the administration page had been hacked, the IP for the router’s primary DNS server was changed to the IP of a malicious DNS. These types of attacks against Brazilian users were documented in September 2014 by researchers at Kaspersky. However, it appears the cybercriminals have stepped up their game.

Previously, the attackers modified both the primary and secondary DNS records. In the more recent attacks, they only changed the primary DNS to their malicious server, and they set the secondary DNS to 8.8.8.8, which is Google’s public DNS. By doing so, DNS requests from compromised devices resolve properly in case the malicious server becomes unavailable, and it’s less likely for victims to become suspicious, Proofpoint researcher noted.

These types of pharming attacks can be efficient because the malicious actors don’t have to worry about taking over a public DNS. When victims try to access one of the websites targeted by the cybercrooks, the request is processed by the rogue DNS server and they are taken to a malicious page controlled by the attacker.

“[Man-in-the-middle attacks] could be used to intercept and tamper with email communications, web sites, logins and passwords and other confidential or sensitive information, software downloads, hijack search results, redirect to a TDS and malware, and other malicious actions,” Proofpoint explained in a blog post.

Home routers are often targeted by malicious hackers because many of the devices are plagued by serious vulnerabilities. A good example is the recently discovered Misfortune Cookie bug which exposes millions of SOHO routers.

In March 2014, Team Cymru reported spotting a campaign in which a threat group hijacked the DNS settings of roughly 300,000 small office and home (SOHO) routers by exploiting various vulnerabilities.

Another recently highlighted problem is that hundreds of thousands of devices can have the same SSH keys. Using Shodan, the search engine for Internet-connected devices, researchers discovered nearly 250,000 devices with identical keys deployed by Spain-based telecoms firm Telefonica de Espana. A different duplicate SSH fingerprint has been found on 200,000 devices, and another one on 150,000 devices.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.