DNS Hijacking targets Brazilian financial institutions
12.8.18 securityaffairs Hacking
Crooks are targeting DLink DSL modem routers in Brazil to redirect users to fake bank websites by changing the DNS settings.
With this trick, cybercriminals steal login credentials for bank accounts, Radware researchers reported.
The attackers change the DNS settings pointing the network devices to DNS servers they control, in this campaign the experts observed crooks using two DNS servers, 69.162.89.185 and 198.50.222.136. The two DNS servers resolve the logical address for Banco de Brasil (www.bb.com.br) and Itau Unibanco (hostname www.itau.com.br) to bogus clones.
“The research center has been tracking malicious activity targeting DLink DSL modem routers in Brazil since June 8th. Via old exploits dating from 2015, a malicious agent is attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server.” reads the analysis published by Radware.
“The malicious DNS server is hijacking requests for the hostname of Banco de Brasil (www.bb.com.br) and redirecting to a fake, cloned website hosted on the same malicious DNS server which has no connection whatsoever to the legitimate Banco de Brasil website.”
Hackers are using old exploits dating from 2015 that work on some models of DLink DSL devices, they only have to run for vulnerable routers online and change their DNS settings.
The experts highlighted that the hijacking is performed without any user interaction.
“The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, the user can type in the URL manually or even use it from mobile devices, such as a smart phone or tablet.” reads the alert published by Radware.
“The user will still be sent to the malicious website instead of to their requested website and the hijacking effectively works at the gateway level.”
Attackers carried out phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser. Such kind of attack is not a novelty, hackers are using similar techniques since 2014, in 2016, an exploit tool known as RouterHunterBr 2.0 was published online and used the same malicious URLs, but Radware is not aware of currently of abuse originating from this tool.
Radware has recorded several infections attempts for an old D-Link DSL router exploits since June 12.
The malicious URL used in the campaign appear as:
Several exploits for multiple DSL routers, mostly D-Link, were available online since February, 2015:
Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change. Exploit http://www.exploit-db.com/exploits/35995/
D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit http://www.exploit-db.com/exploits/35917/
D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit https://www.exploit-db.com/exploits/37237/
D-Link DSL-2780B DLink_1.01.14 – Unauthenticated Remote DNS Change https://www.exploit-db.com/exploits/37237/
D-Link DSL-2730B AU_2.01 – Authentication Bypass DNS Change https://www.exploit-db.com/exploits/37240/
D-Link DSL-526B ADSL2+ AU_2.01 – Unauthenticated Remote DNS Change https://www.exploit-db.com/exploits/37241/
Once the victims visit the fake websites, they will be asked for bank info, including agency number, account number, mobile phone number, card pin, eight-digit pin, and a CABB number.
The experts noticed that the phishing websites used in the campaign are flagged as not secure in the URL address.
Radware reported the campaigns to the financial institutions targeted by the attacks and fake websites have since been taken offline.
“A convenient way for checking DNS servers used by your devices and router is through websites like http://www.whatsmydnsserver.com/.
Only modems and routers that were not updated in the last two years can be exploited. Updates will protect the owner of the device and also prevent devices being enslaved for use in DDoS attacks or used to conceal targeted attacks.” recommends Radware.