100,000 routers hijacked by GhostDNS, traffic directed to phishing sites

LemmingOverlrd

Posts: 86   +40
What just happened? Security researchers at Netlab have outed a malware which has taken over a sizable number of internet routers in Brazil and is harvesting user login data to major financial institutions.

A widespread infection of internet routers has taken place in South America, and has carried out massive phishing attacks on unsuspecting internet users, reveals research by security firm Netlab. A staggering 100,000 routers have been hijacked by the malicious code and are currently redirecting traffic to phishing sites that mimic landing pages for major banks, telcos, ISPs, media outlets and even Netflix.

The malware (we're hesitant to call it a 'botnet',) has been named GhostDNS by the security firm, and consists of a combination of complex attack scripts which hijack router settings, replacing them with an alternative DNS service, which then proceed to direct traffic to 'cloned' login pages for major online services. The DNS redirection service is known as Rouge and is even running on a number of notable cloud hosting services like Amazon, OVH, Google, Telefonica and Oracle. Netlab is tracking the progress of the infection, and its inner workings, and has been in contact with service providers to shut down the network, which has been running the phishing scheme unopposed since mid-June this year.

The firm provided a detailed diagram of how the attack works.

The attack is carried out on four levels. A Web Admin System which scans the internet for vulnerable devices, followed by the DNSChanger which does as the name implies, backed up by RougeDNS, a network of DNS servers which then redirect to Phishing servers which host clones of well-known, secure, websites.

The firm states that the payload is delivered via remote access exploits, and is capable of running over 100 attack scripts affecting more than 70 different types of routers, whose DNS are subject to the hijacking. Once your router is hacked, a typically innocuous trip to your bank turns into a phishing nightmare which harvests your user data, as the HTTP requests are maliciously redirected to cloned login pages.

While the vast majority of infected routers are located in Brazil (numbering 87.8% of all infections), and the phishing clearly targets Brazilian companies, it is also present throughout South America, and tops over 100,000 infected routers. Netlab is working with major service providers in order to shore up their vulnerabilities and shut down the malicious DNS redirection servers which are driving users to phishing sites.

Spamhaus.com rates Brazil an unenviable third place in the worldwide ranking of botnet infections, with a total 756,420 infected devices, behind India (1,485,933 infections) and China (with 1,666,901 infections).

Permalink to story.

 
I fully understand how DNS redirection works, but that is the worst diagram I have ever seen.
 
What's a Pishing Web System? Note that pish has a specific meaning in Scotland :)
And, if they can't spell Phishing, maybe they can't spell Rogue either.
 
Last edited:
We never know what vulnerability of a home router can be explored tomorrow. And this is one of reasons why I added an old Dell computer with Centos and Unbound DNS server to my network rig. Waiting for Christmas sales to buy Raspberry Pi and try it as DNS server too. Also as a variant buying some $100 mini-pc on AliExpress.
 
We never know what vulnerability of a home router can be explored tomorrow. And this is one of reasons why I added an old Dell computer with Centos and Unbound DNS server to my network rig. Waiting for Christmas sales to buy Raspberry Pi and try it as DNS server too. Also as a variant buying some $100 mini-pc on AliExpress.
Please post your results. Can a Raspberry Pi service multiple nodes as an access point. Router vulnerability has been as serious issue for years.
 
Of course this happens when routers are made with security holes placed on purpose. This is similar to that Bluetooth "bug" which enabled a virus to be spread just by carrying an infected device in a room full of people, where it can connect to their devices without them even knowing.

Or the "bug" which enables basically any device to hack your wifi and use your network for whatever purpose. That also means your Smart TV can connect to the outside world, even if you didn't connect it to wifi. But it can hack the password, connect to your wifi and talk to the internet.

Everything is nowadays hackable by design.
 
Back