Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Attackers Use Phishing Emails, Exploits to Hijack Routers

Cybercriminals have been hijacking the Internet connections of users in Brazil by modifying Domain Name System (DNS) settings in their routers, researchers at Proofpoint reported on Thursday.

Cybercriminals have been hijacking the Internet connections of users in Brazil by modifying Domain Name System (DNS) settings in their routers, researchers at Proofpoint reported on Thursday.

These types of operations, known as pharming attacks, are designed to lure victims to fake websites, which usually mimic the ones of banks, in an effort to steal credentials and other sensitive information.

Pharming attacks can be highly efficient because in many cases they are difficult to spot. By modifying the router’s DNS settings, the attacker ensures that users are taken to a bogus site when they type in the domain name of the legitimate website in the Web browser’s address bar. Usually, the DNS is hijacked in network-based attacks, but a recent campaign shows that phishing emails can be just as effective.

Proofpoint started monitoring the operation back in mid-December. According to researchers, the attack began with a spam email apparently coming from one of Brazil’s largest telecommunication companies. Over a four-week period, the security firm observed a small spam run in which less than 100 emails had been sent out mainly to Brazilian users and organizations.

The phishing emails contained links that pointed to a webpage hosting malicious iframes. These iframes were designed to exploit cross-site request forgery (CSRF) vulnerabilities in TP-Link and UTStarcom home routers, specifically models distributed by the telecoms firm whose name was abused. The malicious code brute forced the device’s administrator login page by trying out common IP addresses and known default passwords.

Once the administration page had been hacked, the IP for the router’s primary DNS server was changed to the IP of a malicious DNS. These types of attacks against Brazilian users were documented in September 2014 by researchers at Kaspersky. However, it appears the cybercriminals have stepped up their game.

Previously, the attackers modified both the primary and secondary DNS records. In the more recent attacks, they only changed the primary DNS to their malicious server, and they set the secondary DNS to, which is Google’s public DNS. By doing so, DNS requests from compromised devices resolve properly in case the malicious server becomes unavailable, and it’s less likely for victims to become suspicious, Proofpoint researcher noted.

Advertisement. Scroll to continue reading.

These types of pharming attacks can be efficient because the malicious actors don’t have to worry about taking over a public DNS. When victims try to access one of the websites targeted by the cybercrooks, the request is processed by the rogue DNS server and they are taken to a malicious page controlled by the attacker.

“[Man-in-the-middle attacks] could be used to intercept and tamper with email communications, web sites, logins and passwords and other confidential or sensitive information, software downloads, hijack search results, redirect to a TDS and malware, and other malicious actions,” Proofpoint explained in a blog post.

Home routers are often targeted by malicious hackers because many of the devices are plagued by serious vulnerabilities. A good example is the recently discovered Misfortune Cookie bug which exposes millions of SOHO routers.

In March 2014, Team Cymru reported spotting a campaign in which a threat group hijacked the DNS settings of roughly 300,000 small office and home (SOHO) routers by exploiting various vulnerabilities.

Another recently highlighted problem is that hundreds of thousands of devices can have the same SSH keys. Using Shodan, the search engine for Internet-connected devices, researchers discovered nearly 250,000 devices with identical keys deployed by Spain-based telecoms firm Telefonica de Espana. A different duplicate SSH fingerprint has been found on 200,000 devices, and another one on 150,000 devices.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.