DNS Hijacking targets Brazilian financial institutions

Crooks are targeting DLink DSL modem routers in Brazil to redirect users to fake bank websites by carrying out DNS hijacking.

Crooks are targeting DLink DSL modem routers in Brazil to redirect users to fake bank websites by changing the DNS settings.

With this trick, cybercriminals steal login credentials for bank accounts, Radware researchers reported.

The attackers change the DNS settings pointing the network devices to DNS servers they control, in this campaign the experts observed crooks using two DNS servers, 69.162.89.185 and 198.50.222.136. The two DNS servers resolve the logical address for Banco de Brasil (www.bb.com.br) and Itau Unibanco (hostname www.itau.com.br) to bogus clones.

“The research center has been tracking malicious activity targeting DLink DSL modem routers in Brazil since June 8th. Via old exploits dating from 2015, a malicious agent is attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server.” reads the analysis published by Radware.

“The malicious DNS server is hijacking requests for the hostname of Banco de Brasil (www.bb.com.br) and redirecting to a fake, cloned website hosted on the same malicious DNS server which has no connection whatsoever to the legitimate Banco de Brasil website.”

Hackers are using old exploits dating from 2015 that work on some models of DLink DSL devices, they only have to run for vulnerable routers online and change their DNS settings.

Radware has recorded several infections attempts for an old D-Link DSL router exploits since June 12.

The malicious URL used in the campaign appear as:

Several exploits  for multiple DSL routers, mostly D-Link, were available online since February, 2015:

• Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change. Exploit http://www.exploit-db.com/exploits/35995/
• D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit http://www.exploit-db.com/exploits/35917/
• D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit https://www.exploit-db.com/exploits/37237/
• D-Link DSL-2780B DLink_1.01.14 – Unauthenticated Remote DNS Change https://www.exploit-db.com/exploits/37237/
• D-Link DSL-2730B AU_2.01 – Authentication Bypass DNS Change https://www.exploit-db.com/exploits/37240/
• D-Link DSL-526B ADSL2+ AU_2.01 – Unauthenticated Remote DNS Change https://www.exploit-db.com/exploits/37241/

Once the victims visit the fake websites, they will be asked for bank info, including agency number, account number, mobile phone number, card pin, eight-digit pin, and a CABB number.

The experts noticed that the phishing websites used in the campaign are flagged as not secure in the URL address.

Radware reported the campaigns to the financial institutions targeted by the attacks and fake websites have since been taken offline.

“A convenient way for checking DNS servers used by your devices and router is through websites like http://www.whatsmydnsserver.com/.
Only modems and routers that were not updated in the last two years can be exploited. Updates will protect the owner of the device and also prevent devices being enslaved for use in DDoS attacks or used to conceal targeted attacks.” recommends Radware.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – DNS hijacking, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]