Ongoing DNS Hijacking Campaign Targets Gmail, PayPal, Netflix Users

A DNS hijacking campaign that has been ongoing for the past three months is targeting the users of popular online services, including Gmail, PayPal, and Netflix. 

As part of the campaign, the attackers compromised consumer routers to modify their DNS settings and redirect users to rogue websites to steal their login credentials. 

Bad Packets security researchers, who have been following the attacks since December, have identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.

“All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169),” the researchers reveal. 

The first DNS hijacking exploit targeted D-Link DSL modems such as D-Link DSL-2640B, DSL-2740R, DSL-2780B, and DSL-526B. The rogue DNS server used in this attack was hosted by OVH Canada (IP address 66.70.173.48). 

A second wave targeted the same types of D-Link modems, but the rogue DNS server had a different IP address, 144.217.191.145 (also hosted by OVH Canada). 

Most of the “DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082),” the security researchers say. 

A third wave of attacks targeted a larger number of consumer router models, including ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

The attacks came from three distinct Google Cloud Platform hosts and two rogue DNS servers were used, both hosted in Russia by Inoventica Services (195.128.126.165 and 195.128.124.131). 

In all attacks, the operators performed an initial recon scan using Masscan to check for active hosts on port 81/TCP, and only then launched the DNS hijacking exploits.

The campaign was meant to take the users of Gmail, PayPal, Netflix, Uber, and several Brazilian banks to rogue domains and trick them into revealing their usernames and passwords, Stefan Tanase, Principal Security Researcher at Ixia, says. 

The security researchers found over 16,500 vulnerable routers potentially exposed to this DNS hijacking campaign. 

“Establishing a definitive total of vulnerable devices would require us to employ the same tactics used by the threat actors in this campaign,” Bad Packets says. 

The attackers abused Google’s Cloud platform for these attacks mainly because it is easy for everyone with a Google account to access a “Google Cloud Shell,” a service that provides users “with the equivalent of a Linux VPS with root privileges directly in a web browser,” the researchers explain. 

UPDATE. A Google Cloud spokesperson has provided SecurityWeek the following statement: We have suspended the fraudulent accounts in question and are working through established protocols to identify any new ones that emerge. We have processes in place to detect and remove accounts that violate our terms of service and acceptable use policy, and we take action on accounts when we detect abuse, including suspending the accounts in question. These incidents highlight the importance of practicing good security hygiene, including patching router firmware once a fix becomes available.

Related: Attackers Change DNS Settings of DrayTek Routers

Related: ‘MaMi’ Mac Malware Hijacks DNS Settings