DNS Hijacking Targets Brazilian Banks


The Radware Threat Research Center has identified a hijacking campaign aimed at Brazilian bank customers via their IoT devices and is attempting to gain their bank credentials.

Download Complete Alert

Abstract

The Radware Threat Research Center has identified a hijacking campaign aimed at Brazilian bank customers via their IoT devices and is attempting to gain their bank credentials.

The research center has been tracking malicious activity targeting DLink DSL modem routers in Brazil since June 8th. Via old exploits dating from 2015, a malicious agent is attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server. The malicious DNS server is hijacking requests for the hostname of Banco de Brasil (www.bb.com.br) and redirecting to a fake, cloned website hosted on the same malicious DNS server which has no connection whatsoever to the legitimate Banco de Brasil website.

Itau Unibanco, another Brazilian financial institution (hostname www.itau.com.br), is also being redirected, although not backed by a cloned website (for now). For all other DNS requests, the malicious server works as a forwarder and resolves just as an ISP DNS server would. The malicious DNS server set up by the hackers effectively becomes a middleman that provides the malicious actor with the flexibility to bring up fake portals and web fronts to collect sensitive information from users whose routers were infected.

Unique about this approach is that the hijacking is performed without any interaction from the user. Phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser have been reported as early as 2014 and throughout 2015 and 2016. In 2016, an exploit tool known as RouterHunterBr 2.0 was published on the internet and used the same malicious URLs, but there are no reports that Radware is aware of currently of abuse originating from this tool.

The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, the user can type in the URL manually or even use it from mobile devices, such as a smart phone or tablet. The user will still be sent to the malicious website instead of to their requested website and the hijacking effectively works at the gateway level.

Attack Methods

Since June 12, Radware’s deception network has been recording multiple infection attempts for an old D-Link DSL router exploit.

The exploit allows unauthenticated remote configuration of DNS server settings on the modem router. The malicious URL takes the following form.

Exploits were published as early as February, 2015 for multiple DSL routers, mostly D-Link.

Radware’s deception network recorded almost 500 attempts between June 8 and August 10. Radware’s Sao-Paulo based honeypots captured these attempts, without exception. The rest of our global deception network did not capture any of these attempts, meaning the malicious agent was focusing attacks at Brazilian targets only. This was likely intended to increase efficiency while staying undetected.

Continue Reading...

Click here to download a copy of the full ERT Threat Alert. Download the full alert Now