On Friday (5 April), it emerged that home routers such as those manufactured by D-Link were being targeted by DNS hijacking. Security researchers at Bad Packets identified three waves which took place between December last year and the end of March this year, detailed in a blog. But also on 5 April, researchers at Ixia identified a new wave of DNS hijacking and detected two additional rogue DNS servers: 126.96.36.199 and 188.8.131.52.
What is happening?
Hackers are orchestrating these attacks in the hope that users will be fooled by an unauthorized version of a well-known website. Once a person enters their details, they can subsequently be stolen by attackers. “The purpose of these attacks is to modify DNS settings in the routers to point to unauthorized webpages that skim user input data,” says Mihai Vasilescu senior security research engineer in a blog. “When end users try to access a targeted website, they will land on a webpage designed to look like the original but is controlled by the attacker.”
As Vasilescu points out, a malicious adversary able to intercept your requests could send faked DNS responses pointing you to a malicious server hosting a fake bank login page. “That server would then grab your credentials, giving the attacker access to your bank accounts.”
Which sites are being targeted?
According to Ixia researchers, the attackers seem to have three types of targets. Global internet-based enterprises, local hosting providers and financial intuitions based in Brazil.
Researchers found that on the fake page, the webservers were unsecured, running on HTTP instead of HTTPS – the latter of which wasn’t running at all.
But they also found that some of the targets aren’t fully functional yet. According to Vasilescu this is because either the attackers haven’t had the time to configure their servers – and they concede this is unlikely, considering the latest DNS change attacks occurred just two days before on April 3 – or the attackers misconfigured the Apache configuration.“By querying the malicious DNS server for specific domains, we can easily compare the results with queries against Google’s 184.108.40.206 resolver, clearly indicating something is wrong,” says Vasilescu.
The April 3 attacks were from a single IP address 220.127.116.11, which belongs to Google. Meanwhile the adversary’s DNS and web server is hosted at 18.104.22.168, also belonging to Google.
What to do
I’ve included some information on how to secure your router and protect yourself from phishing attempts in my previous article. Vasilescu concurs, including some extra information in his post.
Of course, he points out the importance of ensuring devices — in this case routers — are up-to-date. “And not exposing the admin interface online is important.”
Particularly relevant to this latest finding is to be super-vigilant when accessing important websites, especially banking. “Make sure that the connections are HTTPS; check the certificate,” Vasilescu says. This ensures that when you’re entering your credentials, they are not being viewed by an adversary keen to steal them.