Experts at Kaspersky spotted an interesting attack from Brazilian criminals that try to change the DNS settings of home routers by using a web-based attack.

Experts at Kaspersky Lab have uncovered a hacking campaign conducted by Brazilian threat actors which is targeting home routers by using a web-based attack. The hackers are adopting different techniques, including social engineering and malicious websites, to change the DNS settings of home routers. The malicious DNS settings allow attackers to redirect victims to bogus websites designed to steal banking credentials of Brazilian Banks clients.

” In these attacks the malicious DNS servers configured in the user’s network device are pointed towards phishing pages of Brazilian Banks, programmed to steal financial credentials.” states the expert Fabio Assolini in a blog post published on Securelist.

Similar attacks are not new in Brazil, as described by experts at KasperskyLab, from 2011 to 2012 network devices, including home routers were targeted by remote attacks exploiting a remote vulnerability and changing DNS configurations that affected more than 4.5 million DSL modems. However, Fabio Assolini highlighted that this campaign is quite different from previous ones because the “web-based” approach of the Brazilian cyber criminals.

“But this “web-based” approach was something new to Brazilian bad guys until now and we believe it will spread quickly amongst them as the number of victims increases.” states the post.

The attack starts with a phishing mail which trick users into click on the link reporting the following link:

“I’m your friend and want to tell you you’re being cheated, look at the pics”

The website linked to the content of the email contains porn pictures that distract victims while a malicious script start running in background. As explained by the experts, depending on the user’s configuration, the website may not ask for wireless access point credentials and operate in stealth way.

If the victims don’t use default credentials for their home router the website will pop up a prompt asking to enter credentials manually.

b1

As reported in the last APWG report, phishing activities are even more sneaky and efficient, in the specific case nearly 3.300 clicks were registered in just 3 days, the majority of them from Brazilian (60%) and American (22%) users.

The script runs a brute-force attack on the user’s home router attempting to guess the right combination of username and password. In the following image is reported the attempt for the combination “admin:admin”:

b2

“The scripts will continue trying combinations that point to the control panel of your network device such as [your-router-IP].rebootinfo.cgi or [your-router-IP].dnscfg.cgi?.” “If you’re using default credentials in your home router, there won’t be an interaction and you’ll never realize that the attack has occurred. If you’re not using default credentials, then the website will pop up a prompt asking you to enter it manually.” 

The script aims to change the DNS settings of the victim’s home router, the Brazilian gang is using 9 DNS servers and 5 domains used to host phishing websites reproducing Brazilian banks. It is interesting to note that the websites filter direct access by using HTTP referrers to prevent access from security experts and law enforcement.

Users can protect their home router not using the default password and never entering device credentials into any website asking for them.

Pierluigi Paganini