Cyber Criminals Targeted Router DNS Settings Flaw In Pharming Attack

Media Division | February 28, 2015

A new hacking technique has been discovered in Brazil in which cyber criminals exploited the vulnerabilities in a user’s home router DNS settings to divert the user to a malicious site and steal personal data.

The method, brought to attention by KrebsonSecurity, exploited security vulnerabilities in home-based routers in order to access the admin console. Then, hackers modified the router’s Domain Name System (DNS) settings, thereby diverting the unsuspecting victim to a phony website even if the right website name is entered in the browser. This form of an attack is labelled as pharming.

This attack is not easy to execute, though, as it needs access to an organizations’ or an internet service provider’s DNS servers. The DNS systems are well-secured in a typical setting, but the home routers lax security. According to the source, attackers utilized poisoned DNS servers to redirect requests for IP addresses, commonly for financial websites, to a legit-looking but completely malicious site in order to steal banking credentials of the victim.

The attack method is generally passive in nature, and requires waiting for DNS lookup from a potential vulnerable source to be routed to the compromised server. Not only these attacks enable cyber criminals to divert victims to a site even if an address is typed correctly, it also means adversaries can conduct man-in-the-middle attacks. Overall, it means that hackers can intercept passwords and logins for emails, websites, as well as search results.

Over 4 weeks, from Dec 2014 to mid-Jan 2015, the researchers discovered four separate URLs distributed in a niche campaign that included less than 100 emails sent to a small number of employees at organizations and primarily targeting users in Brazil. The attacks were aimed at users who owned TP-Link and UTStarcom home routers.

The revelation shows that hackers are turning their focus to SME and home-based routers as a new target. Unlike attacks on corporate networks and personal computers, these attacks are challenging to detect and users would unlikely discover any DNS redirection until it is late.

The vulnerabilities revolve around poor configuration, as well as insecure patching and software design by vendors. The current campaign has only targeted Brazilian users, but may move beyond the South American country.

Protecting yourself against such attacks

Although most users will depend on their router manufacturer to issue updates in the form of patches for such flaws, there are other defenses that also include some old security advices, such as the following:

Change administrative login: One of the best defense against such attacks is to modify the router passwords, especially if you are relying on the default password provided by the internet service provider. The site provides lookup information for the specific model and make. Most router vendors list the steps for modifying login information under the device.

Educate yourself about phishing emails: These emails may be badly worded or may be sent from a suspicious looking email address. If there is a phone number or email address listed for an official entity, conduct a separate Google search to confirm these credentials.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.