Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Ongoing DNS Hijacking Campaign Targets Gmail, PayPal, Netflix Users

A DNS hijacking campaign that has been ongoing for the past three months is targeting the users of popular online services, including Gmail, PayPal, and Netflix. 

A DNS hijacking campaign that has been ongoing for the past three months is targeting the users of popular online services, including Gmail, PayPal, and Netflix. 

As part of the campaign, the attackers compromised consumer routers to modify their DNS settings and redirect users to rogue websites to steal their login credentials. 

Bad Packets security researchers, who have been following the attacks since December, have identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.

“All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169),” the researchers reveal

The first DNS hijacking exploit targeted D-Link DSL modems such as D-Link DSL-2640B, DSL-2740R, DSL-2780B, and DSL-526B. The rogue DNS server used in this attack was hosted by OVH Canada (IP address 

A second wave targeted the same types of D-Link modems, but the rogue DNS server had a different IP address, (also hosted by OVH Canada). 

Most of the “DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082),” the security researchers say. 

A third wave of attacks targeted a larger number of consumer router models, including ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

The attacks came from three distinct Google Cloud Platform hosts and two rogue DNS servers were used, both hosted in Russia by Inoventica Services ( and 

In all attacks, the operators performed an initial recon scan using Masscan to check for active hosts on port 81/TCP, and only then launched the DNS hijacking exploits.

The campaign was meant to take the users of Gmail, PayPal, Netflix, Uber, and several Brazilian banks to rogue domains and trick them into revealing their usernames and passwords, Stefan Tanase, Principal Security Researcher at Ixia, says

The security researchers found over 16,500 vulnerable routers potentially exposed to this DNS hijacking campaign. 

“Establishing a definitive total of vulnerable devices would require us to employ the same tactics used by the threat actors in this campaign,” Bad Packets says. 

The attackers abused Google’s Cloud platform for these attacks mainly because it is easy for everyone with a Google account to access a “Google Cloud Shell,” a service that provides users “with the equivalent of a Linux VPS with root privileges directly in a web browser,” the researchers explain. 

UPDATE. A Google Cloud spokesperson has provided SecurityWeek the following statement: We have suspended the fraudulent accounts in question and are working through established protocols to identify any new ones that emerge. We have processes in place to detect and remove accounts that violate our terms of service and acceptable use policy, and we take action on accounts when we detect abuse, including suspending the accounts in question. These incidents highlight the importance of practicing good security hygiene, including patching router firmware once a fix becomes available.

Related: Attackers Change DNS Settings of DrayTek Routers

Related: ‘MaMi’ Mac Malware Hijacks DNS Settings

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...