DNS hijacking campaign is stealing Netflix, Gmail and other services accounts

A DNS hijacking campaign, active for at least three months, has been attacking users of the most popular online services, such as Gmail, Netflix, PayPal, among others, reported specialists from the International Institute of Cyber Security (IICS), the best ethical hacking institute.  

As part of the attack campaign, threat actors have compromised the clients’ routers from Internet service provider companies, modifying the DNS configuration and redirecting victims to malicious websites to extract their login credentials.  

Specialists from the best ethical hacking institute identified four malicious DNS servers that attackers have been using to redirect victims’ traffic, highlighting that all exploitation attempts have originated from hosts in the Google Cloud platform.

The first DNS hijacking exploits specific D-Link DSL modems, such as D-Link DSL-2640B, DSL-2740R, DSL-2780B and DSL-526B. The fake DNS server used for this attack was hosted by OVH Canada (linked to the IP address).

A second wave of attacks pointed to the same type of D-Link modems, although the address associated with this malicious server was different from the previous one (144,217,191,145).

According to the best ethical hacking institute, most DNS requests were being redirected to two IP addresses assigned to a hosting provider with flexible policies regarding dishonest practices.

A third wave of attacks addressed a large number of domestic router models, including ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

The origin of the attacks is linked to three different hosts of Google Cloud using two malicious servers hosted in Russian territory.

The main goal of the campaign was to redirect unsuspecting users of online services such as Netflix, Uber, PayPal or Gmail to fraudulent sites and trick them into delivering their login credentials reported the best ethical hacking institute. Specialists estimate that about 17000 routers may be exposed to this DNS hijacking campaign.