Security researchers from Kaspersky Lab have detected a massive DNS poisoning attack, affecting Brazilian ISPs.
Upon attempting to visit a legitimate web site such as www.google.com.br for instance, users are exposed to malicious file downloads, next to client-side exploits, CVE-2010-4452 in particular.
Kaspersky's Fabio Assolini comments:
Brazil has some big ISPs. Official statistics suggest the country has 73 million computers connected to the Internet, and the major ISPs average 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge.
Last week Brazil’s web forums were alive with desperate cries for help from users who faced malicious redirections when trying to access websites such as YouTube, Gmail and Hotmail, as well as local market leaders including Uol, Terra and Globo. In all cases, users were asked to run a malicious file as soon as the website opened.
Malicious attackers often turn to alternative methods for abusing the infrastructure of a trusted web site, such as Google in this case, in cases where they cannot directly compromise this infrastructure. Whether it's the modification of a particular site's DNS records by social engineering their way in, to to direct DNS cache poisoning, their main objective remains the abuse of a high-trafficked web sites.
Affected users are advised to "update antivirus and all software in the computer (such as Java), also change the DNS configuration to other providers".
- Comcast's DNS records hijacked, redirect to hacked page
- Baidu DNS records hijacked by Iranian Cyber Army
- DNS cache poisoning attacks exploited in the wild
- Photobucket's DNS records hijacked by Turkish hacking group
- Hackers hijack DNS records of high profile New Zealand sites