Attack hijacks DNS settings on home routers in Brazil
An ongoing attack in Brazil tricks users into visiting malicious websites that attempt to silently change the Domain Name System settings of their home routers.
If the attack is successful, the routers are reconfigured to use rogue DNS servers that redirect victims to phishing pages when they open banking sites, said Fabio Assolini, a security researcher at Kaspersky Lab, in a blog post Tuesday.
The attack starts with spam emails that tell recipients they’re being cheated and asks them to click on a link. The link leads to an adult content website that in the background forces browsers to load specifically crafted URLs.
Those URLs point to local network IP addresses commonly assigned to home routers and contain default router credentials like admin:admin, root:root and admin:gvt12345. They are crafted to change DNS servers via a script called dsncfg.cgi that’s part of the Web-based administration interface of DSL modems and routers provided by some Brazilian ISPs (Internet service providers) to customers.
The gvt12345 password suggests that routers used by customers of a Brazilian ISP called GVT are among those targeted in the attack.
“We found Brazilian bad guys actively using 5 domains and 9 DNS servers, all of them hosting phishing pages for the biggest Brazilian banks,” Assolini said.
Web-based attacks that force browsers to execute unauthorized actions on behalf of the user on third-party sites are known as cross-site request forgery (CSRF). The technique works against many routers even if their owner has blocked access to the router Web interface from the Internet and in some cases, even if they changed the router’s default password.
In October 2013, a security researcher named Jakob Lell reported a CSRF attack that was targeting some TP-Link router models. The URL used in that attack contained the admin:admin credentials and had been crafted to change their DNS settings.
“Even if a username/password combination is given in the URL, the browser will ignore the credentials from the URL and still try the saved credentials or no authentication first,” Lell said in a blog post at the time. “Only if this results in an HTTP 401 (Unauthorized) status code, the browser resends the request with the credentials from the URL.”
This means that a CSRF attack also works when the default router password has been changed but the user saved the new password inside the browser or hasn’t logged out from the router interface.
Researchers from security firm Independent Security Evaluators analyzed 10 popular SOHO wireless router models in 2013 and found that most of them were vulnerable to Web-based attacks like cross-site scripting, CSRF, directory traversal and command injection.
“The majority of routers we evaluated contained several Cross-Site Request Forgery vulnerabilities,” the researchers said in their report at the time. “We were able to leverage these vulnerabilities to add administrative user accounts, change passwords, or enable various management services. “
Security researchers have warned about the risks of CSRF flaws on routers for a long time, but attackers have started to exploit such flaws in large-scale attacks only in the past couple of years.
In March, Internet security research organization Team Cymru reported that over 300,000 home routers had been compromised and had their DNS settings changed in a global attack campaign. One of the techniques used was likely CSRF, the researchers said at the time.
In 2011 and 2012 attackers exploited a vulnerability to change the DNS settings of more than 4.5 million DSL modems in Brazil, Assolini said. However, this Web-based CSRF technique is new to Brazilian attackers “and we believe it will spread quickly amongst them as the number of victims increases,” he said.