Attackers hacked thousands of D-link routers and redirected their owners to malicious resources

    imageA group of attackers for a long time exploited the vulnerability in a number of models of routers company Dlink. The found hole allows you to remotely change the settings of the router's DNS server in order to redirect the device user to a resource that was created by the attackers themselves. Further depends on the choice of the cybercriminals themselves - they can steal the accounts of victims or offer services that look like a completely “white” service from the bank.

    Vulnerability is relevant for such models as DLink DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B and DSL-526B. They are rarely updated, so that attackers can use the vulnerability of outdated firmware without problems. Details can be read in detail here and here .

    Representatives of Radware, a cybersecurity company, were the first to find out about the problem . As it turned out, all this was conceived by the attackers in order to gain access to customer accounts of the two largest Brazilian banks - Banco de Brasil and Unibanco. Instead of the servers of the banking network, users got to servers that were controlled by hackers.

    At the same time, users could not understand what was happening - they were not tried to be deceived by phishing links and various pop-up windows. Simply, instead of the bank site, the user got on a fake website, which caused almost no fear. Naturally, the transition to a malware-resource was made even if the user clicked on the link in the “Chosen” of his browser or on the URL tag located on the desktop.

    Similarly, the transition occurred if instead of a PC, the user worked with a tablet, phone, or any other device running any OS. The main condition for performing a malware transition is connecting to a compromised router.

    The sites of Brazilian banks were chosen because access to them can be obtained via HTTP, without protection. So visitors do not receive any messages that the site to which they are being redirected is malicious. If the user has HTTPS installed by default, then the potential victim will receive a message about the problem with the certificate. But at the same time there is an option “agree”, and if the user chooses it, which is done by most users, then the redirection works without any problems. In addition, the malicious site "pretends" to be quite normal. If the user is logged on to the real site of the bank, then his data is redirected to the attacker's server. The site is controlled from the same IP as the DNS server of the attackers.

    The site to which the transition is taking place is one-on-one similar to the real resource of the bank, so users who are not too technically advanced can be easily deceived. As far as it can be understood, the attackers' site is not yet set up, the similarity is still purely external, without the functionality of a banking site (it is not too difficult to fake it, either).

    After the company that detected the attack reported the problem, the malicious DNS resource and fake sites were closed by the hosting company that owns the server. True, this causes some inconvenience to the owners of "modernized" routers. The fact is that since the DNS server is changed to malicious in the hardware settings, it is no longer able to give access to the network without secondary configuration. This is easy to do, but if the user doesn’t have experience and understanding what is happening, the problem may become serious.

    At the moment it is one of the largest attacks using routers. In May, a similar attack was reported. Then, about half a million network devices from different manufacturers were infected. After the FBI representatives found out about the problem, they warned the VPNFilter service, which the attackers were working with, and the problem was also resolved.

    Yes, and before problems of this kind happened. So in 2016, malware, known as DNSChanger , caused malicious commands to be executed by infected routers. Then a malicious DNS server was also used. And just as now, the transition to malicious resources owned by the attackers was carried out.

    The best protection against attacks of this kind is, firstly, to update the firmware of the equipment, and secondly, to use a strong password. In addition, you can change the DNS to verified - for example, from Cloudflare or from Google.

    Also popular now: