Attackers Targeting Dlink DSL Modem Routers ; Exploiting Them To Change The DNS Settings

Attackers Targeting Dlink DSL Modem Routers ; Exploiting Them To Change The DNS Settings

A recent
research has found attackers to be resorting to targeting DLink DSL modem
routers in Brazil, with a specific end goal to exploit their DNS settings,
which at that point enables them to redirect users endeavoring to associate
with their online banks to fake banking websites that steal the client’s record
data.
As per
the research by Radware, the exploit being utilized by the hackers enables them
to effectively scan for and script the changing of a lot of vulnerable switches
so the user’s DNS settings point to a DNS server that is under the hacker’s
control.
Example of Fake Cloned Bank Site (Source: Radware)
Certificate Warning on Fake Site

At the
point when the user attempts to connect to a website on the internet, they
first question a DNS server to determine a hostname like www.google.com to an IP
address like 172.217.11.36.
Their PC
at that point associates with this IP address and starts the coveted
connection. In this way by changing the name servers utilized on the router,
users are diverted to fake and malignant sites without their insight and made
to believe that these sites are indeed legitimate and dependable.
The
pernicious URL takes the following form:
/dnscfg.cgi?dnsPrimary=&dnsSecondary=&dnsDynamic=0&dnsRefresh=1

at the
point when the exploit permits unauthenticated remote configuration of DNS
server settings on the modem router.


Radware’s
research stated that –
“The uniqueness about this approach is
that the hijacking is performed without any interaction from the user, phishing
campaigns with crafted URLs and malvertising campaigns attempting to change the
DNS configuration from within the user’s browser have been reported as early as
2014 and throughout 2015 and 2016. In 2016, an exploit tool known as
RouterHunterBr 2.0 was published on the internet and used the same malicious
URLs, but there are no reports that Radware is aware of currently of abuse
originating from this tool.”
The researcher’s state that the attack is deceptive
as the user is totally unaware of the change, the hijacking works without
creating or changing URLs in the user’s browser.
A user can utilize any browser and his/her
consistent regular routes, the user can type in the URL physically or even
utilize it from cell phones, for example, a smart phone or tablet, and he/she
will in any case be sent to the vindictive site rather than to their requested
for site since the capturing viably works at the gateway level.
Radware along these lines , recommends users to
utilize the http://www.whatsmydnsserver.com/
website to check their router’s configured DNS servers, with the goal that they
can alone decide whether there are servers that look suspicious as they won’t
be relegated by their internet service provider.

Share this with Your friends:

Leave a Reply

Your email address will not be published. Required fields are marked *