Hijack attack aims to grab bank details via routers
Researchers at DDoS protection specialist Radware have uncovered an attack aimed at Brazilian bank customers that seeks to steal credentials via a compromised router.
It employs malware that targets DLink DSL modem routers using exploits dating back to 2015. A malicious agent attempts to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious server.
The malicious DNS server is then hijacking requests for the host name of Banco de Brasil and redirecting to a fake, cloned website hosted on the same malicious DNS server, which has no connection whatsoever to the legitimate Banco de Brasil website.
Another Brazilian financial institution, Itau Unibanco, is also being redirected, although does not -- as yet -- have a cloned website. For all other DNS requests, the malicious server simply works as a forwarder and resolves just as an ISP DNS server would.
"This new attack is directly impacting the owners of IoT devices: the consumers," says Radware cybersecurity evangelist Pascal Geenens. "We have seen many different attacks on IoT devices and botnets enslaving these vulnerable, unmanaged devices in past, but most were not affecting the consumer directly. As long as their routers were still connecting them to the world wide web, consumers didn't really care that their devices were involved in devastating DDoS attacks on online businesses or that their devices were helping to conceal targeted attacks of nation state-sponsored hackers. After BrickerBot, this is the second warning to consumers to start caring, be aware of the risks."
What's clever about this approach is that the hijacking is performed without any interaction from the user and with no need to infect the browser. Users may therefore be completely unaware of the change. The hijacking works without crafting or changing URLs in the user's browser. A user can be using any browser and regular bookmarks, they can type in the URL manually or even use it from mobile devices, such as a smartphone or tablet. However they try to access it the user will still be sent to the malicious website instead of to their requested address.
Users are advised to check the primary and secondary DNS server settings in the IP configuration of mobile devices, computers or routers. Modern browsers will clearly indicate an issue with the certificate of the fake website and this shouldn’t be ignored.
You can see more details of the attack on the Radware blog.