In-the-wild router exploit sends unwitting users to fake banking site

DLink vulnerability lets attackers remotely change DNS server settings.

Hackers have been exploiting a vulnerability in DLink modem routers to send people to a fake banking website that attempts to steal their login credentials, a security researcher said Friday.

The vulnerability works against DLink DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B, and DSL-526B models that haven’t been patched in the past two years. As described in disclosures here, here, here, here, and here, the flaw allows attackers to remotely change the DNS server that connected computers use to translate domain names into IP addresses.

According to an advisory published Friday morning by security firm Radware, hackers have been exploiting the vulnerability to send people trying to visit two Brazilian bank sites—Banco de Brasil’s and Unibanco’s—to malicious servers rather than the ones operated by the financial institutions. In the advisory, Radware researcher Pascal Geenens wrote:

The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, he or she can type in the URL manually or even use it from mobile devices such as iPhone, iPad, Android phones or tablets. He or she will still be sent to the malicious website instead of to their requested website, so the hijacking effectively works at the gateway level.

Convincing spoof

Geenens told Ars that Banco de Brasil’s website can be accessed over unencrypted and unauthenticated HTTP connections, and that prevented visitors from receiving any warning the redirected site was malicious. People who connected using the more secure HTTPS protocol received a warning from the browser that the digital certificate was self-signed, but they may have been tricked into clicking an option to accept it. Other than the self-signed certificate, the site was a convincing spoof of the real site. If users logged in, their site credentials were sent to the hackers behind the campaign. The spoof site was served from the same IP address that hosted the malicious DNS server.

People who tried to visit Unibanco were redirected to a page hosted at the same IP address as the malicious DNS server and fake Banco de Brasil site. That page, however, didn’t actually spoof the bank’s site, an indication that it was probably a temporary landing page that had not yet been set up. The malicious operation was shut down early Friday morning California time after Geenens reported the malicious DNS server and spoof site to server host OVH. With the malicious DNS server inoperable, people connected to infected DLink devices will likely be unable to use the Internet until they change the DNS server settings on their router or reconfigure their connecting devices to use an alternate DNS server.

In 2016, malware known as DNSChanger caused routers that were running unpatched firmware or were secured with weak administrative passwords to use a malicious DNS server. Connected computers would then connect to fake sites. But in this case the router was reconfigured from within the home, not remotely from the Internet.The best defense against router attacks is to ensure devices are running the most up-to-date firmware and are secured with a strong password. A good defense-in-depth move is also to configure each device that connects to use a trusted DNS server, such as from Cloudflare or from Google. These settings, which are made in the operating system of the connecting device, will override any settings made in the router.