Over 100,000 routers have had their DNS settings modified to redirect users to phishing pages. The redirection occurs only when users are trying to access e-banking pages for Brazilian banks.
Around 88% of these routers are located in Brazil, and the campaign has been raging since at least mid-August when security firm Radware first spotted something strange.
But according to a new report published last week by Chinese cyber-security firm Qihoo 360, the group behind these attacks have stepped up their game.
By analyzing massive amounts of collected data, Qihoo 360's Netlab division gained a deep look into the group's modus operandi.
According to Netlab experts, the hackers are scanning the Brazilian IP space for routers that use weak or no passwords, accessing the routers' settings, and replacing legitimate DNS settings with the IPs of DNS servers under their control.
This change redirects all DNS queries that pass through the compromised routers to the malicious DNS servers, which respond with incorrect info for a list of 52 sites.
Most of these sites are Brazilian banks and web hosting services, and the redirection leads back to a phishing page that steals victims' credentials for these sites.
Attackers do all this with the help of three modules, which Netlab has dubbed Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger, all based on the programming languages in which they have been coded.
The first module, Shell DNSChanger, is written in Shell and is a combination of 25 Shell scripts that can brute-force the passwords of 21 routers or firmware packages.
"This sub-module is only being used lightly, with limited deployment by the attacker," Netlab researchers said over the weekend.
This one is only deployed on already-compromised routers to scan and brute-force other routers and devices on internal networks.
The third module, PyPhp DNSChanger, is written in a combination of Python and PHP, and is the most potent of all three. Netlab says this module has been deployed on over 100 Google Cloud servers, from where the attackers are constantly scanning the Internet to identify vulnerable routers.
This module uses 69 attack scripts that can brute-force the passwords of 47 different routers and firmware packages.
TechRepublic: The 6 reasons why we've failed to stop botnets
Furthermore, this module also uses an exploit that can bypass the authentication procedures for some routers and alter DNS settings. This particular exploit (known as the dnscfg.cgi vulnerability) has been seen exploited in Brazil in a similar fashion in February 2015, also used to change DNS settings and redirect Brazilian bank users to phishing sites.
Netlab researchers say that they've managed to access this third module's admin area, where they discovered that PyPhp DNSChanger alone had infected over 62,000 routers just by itself.
In addition, this third module also seems to use what appears to be stolen Shodan API key to identify vulnerable routers it can exploit using the Shodan IoT search engine.
All in all, the operators of this botnet, which Netlab have nicknamed GhostDNS, can target over 70 different types of routers, have already infected over 100,000 routers, and are currently host phishing pages for over 70 different services (the 52 URLs found by Netlab researchers, plus another 19 phishing sites hosted on the same phishing servers, but for which GhostDNS had not redirected traffic to yet).
Netlab says it notified affected entities such as Brazilian ISPs about the ongoing campaign. A list of URLs for which GhostDNS is redirecting traffic to phishing pages, along with the list of routers GhostDNS is known to be able to infect, are available in Netlab's report, here.
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.
The evolving IoT botnet is able to compromise an impressive array of architectures.
The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.
- NSA says searches of Americans' data spiked in 2017
- Pennsylvania Senate Democrats paid $700,000 to recover from ransomware attack
- Man gets two years in prison for sabotaging US Army servers with 'logic bomb'
- What technical skills is NSA looking for?
- Meet Torii, a new IoT botnet far more sophisticated than Mirai variants
- New Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routers
- Mirai botnet authors avoid prison after "substantial assistance" to the FBI
- New Virobot malware works as ransomware, keylogger, and botnet
- New XBash malware combines ransomware, coinminer, botnet, and worm features in deadly combo
- Mozilla to block ad trackers on Firefox by default
- California governor signs country's first IoT security law CNET
- Cheat sheet: How to become a cybersecurity pro TechRepublic