• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • DNS Hijacking targets Brazilian financial institutions

DNS Hijacking targets Brazilian financial institutions

Pierluigi Paganini August 12, 2018

Crooks are targeting DLink DSL modem routers in Brazil to redirect users to fake bank websites by carrying out DNS hijacking.

Crooks are targeting DLink DSL modem routers in Brazil to redirect users to fake bank websites by changing the DNS settings.

With this trick, cybercriminals steal login credentials for bank accounts, Radware researchers reported.

The attackers change the DNS settings pointing the network devices to DNS servers they control, in this campaign the experts observed crooks using two DNS servers, 69.162.89.185 and 198.50.222.136. The two DNS servers resolve the logical address for Banco de Brasil (www.bb.com.br) and Itau Unibanco (hostname www.itau.com.br) to bogus clones.

“The research center has been tracking malicious activity targeting DLink DSL modem routers in Brazil since June 8th. Via old exploits dating from 2015, a malicious agent is attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server.” reads the analysis published by Radware.

“The malicious DNS server is hijacking requests for the hostname of Banco de Brasil (www.bb.com.br) and redirecting to a fake, cloned website hosted on the same malicious DNS server which has no connection whatsoever to the legitimate Banco de Brasil website.”

Hackers are using old exploits dating from 2015 that work on some models of DLink DSL devices, they only have to run for vulnerable routers online and change their DNS settings.

The experts highlighted that the hijacking is performed without any user interaction.

“The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, the user can type in the URL manually or even use it from mobile devices, such as a smart phone or tablet.” reads the alert published by Radware.

“The user will still be sent to the malicious website instead of to their requested website and the hijacking effectively works at the gateway level.”

Attackers carried out phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser. Such kind of attack is not a novelty, hackers are using similar techniques since 2014, in 2016, an exploit tool known as RouterHunterBr 2.0 was published online and used the same malicious URLs, but Radware is not aware of currently of abuse originating from this tool.

Radware has recorded several infections attempts for an old D-Link DSL router exploits since June 12.

DNS hijacking

The malicious URL used in the campaign appear as:

DNS hijacking 2


Several exploits  for multiple DSL routers, mostly D-Link, were available online since February, 2015:

  • Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change. Exploit http://www.exploit-db.com/exploits/35995/
  • D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit http://www.exploit-db.com/exploits/35917/
  • D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit https://www.exploit-db.com/exploits/37237/
  • D-Link DSL-2780B DLink_1.01.14 – Unauthenticated Remote DNS Change https://www.exploit-db.com/exploits/37237/
  • D-Link DSL-2730B AU_2.01 – Authentication Bypass DNS Change https://www.exploit-db.com/exploits/37240/
  • D-Link DSL-526B ADSL2+ AU_2.01 – Unauthenticated Remote DNS Change https://www.exploit-db.com/exploits/37241/

Once the victims visit the fake websites, they will be asked for bank info, including agency number, account number, mobile phone number, card pin, eight-digit pin, and a CABB number.

The experts noticed that the phishing websites used in the campaign are flagged as not secure in the URL address.

Radware reported the campaigns to the financial institutions targeted by the attacks and fake websites have since been taken offline.

“A convenient way for checking DNS servers used by your devices and router is through websites like http://www.whatsmydnsserver.com/.
Only modems and routers that were not updated in the last two years can be exploited. Updates will protect the owner of the device and also prevent devices being enslaved for use in DDoS attacks or used to conceal targeted attacks.” recommends Radware.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – DNS hijacking, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

DLink DNS hijacking Hacking Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini June 26, 2025
Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages
Read more
Pierluigi Paganini June 26, 2025
Cisco fixed critical ISE flaws allowing Root-level remote code execution
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

    Cyber Crime / June 26, 2025

    Cisco fixed critical ISE flaws allowing Root-level remote code execution

    Security / June 26, 2025

    U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

    Security / June 26, 2025

    CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

    Hacking / June 26, 2025

    Hackers deploy fake SonicWall VPN App to steal corporate credentials

    Hacking / June 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT