In recent months, Avast specialists have recorded more than 4.6 million drive-by attacks on Brazilian users’ routers, and about 180,000 of them succeeded: the attackers managed to change the DNS settings of the devices.
Attacks on the routers of Brazilian users began in the summer of 2018; experts from Radware, as well as specialists from the Chinese firm Qihoo 360 were first to discover them.Modified DNS settings were used to redirect victims to malicious sites every time they use the electronic banking of a number of Brazilian banks.
Later, the campaign expanded, and the attackers began to fake Netflix, Google and PayPal sites, also replacing them with fishing pages.
“By changing the DNS server and accessing some of the targeted domains, we can see that on the fake page, the webservers are unsecured, running on HTTP instead of HTTPS”, — writes Security Research Engineer Mihai Vasilescu.
Now Avast analysts have warned that the attacks are still continuing, and their complexity and scale are only increasing.
According to researchers, majority of routers are hacked while visiting sites with streaming video (these could be sports resources, ports for adults, and so on). Such sites often have malicious ads that identify the IP addresses of the victim’s router, as well as its model. Then begins the default credential search.
Although such attacks usually take some time, most users do not even notice them, as they are busy watching videos.
If the attack succeeds and the credentials are picked up, the malware from the malicious advertisement will change the DNS settings of the device by writing the addresses of the DNS servers controlled by the hackers into the router’s configuration. Basically, the following devices become targets of intruders:
- TP-Link TL-WR340G
- TP-Link WR1043ND
- D-Link DSL-2740R
- D-Link DIR 905L
- A-Link WL54AP3 / WL54AP2
- Medialink MWN-WAPR300
- Motorola SBG6580
- Realtron
- GWR-120
- Secutech RiS-11/RiS-22/RiS-33
As a result, attackers are able to intercept and redirect user’s traffic to fishing clone sites, show victims advertisements that bring profits to malware operators (DNSChanger has previously used similar tactics) and even implement cryptojacking scripts into traffic.
According to Avast, for such attacks are currently used several special tools: GhostDNS (discovered and described by Radware and Qihoo 360 last year), as well as its variation called Navidade, which appeared in February. In addition, in mid-April, researchers found a set of SonarDNS exploits, built on the basis of the SONAR JS framework.
Researchers note that only in February Novidade tried to infect users’ routers more than 2.6 million times and was used in three active campaigns. In turn, SonarDNS is also seen in at least three campaigns and currently its behavior is very similar to GhostDNS.Recommendation and mitigation:
To prevent a DNS hijack attack, or to protect yourself if you have been infected, we recommend doing the following:
- Update your router’s firmware to the latest version.
- Change your login credentials, especially for your online banking services and router, using strong passwords!
- Make sure to check if your banking website has a valid certificate, by looking for the padlock in the URL address bar of your browser.
