Researchers at Trend Micro have discovered a malicious browser script being used to change DNS settings on home routers in some parts of the world in a bid to steal login credentials and other sensitive data from users of the devices.
The campaign is another sign that DNS hijacking is becoming an increasingly popular attack method for criminal hackers.
Earlier this week, security researchers at ESET reported a new malware threat dubbed Linux/Moose targeted at Linux routers that they said could be used for DNS hijacking purposes. In April, attackers hijacked domain name servers at the St. Louis Federal Reserve and redirected traffic meant for its domain to a malicious web page set up the attackers.
In the latest instance, discovered by Trend Micro, nearly 88 percent of the victims of the latest campaign are based in Brazil, but infections have also been observed in the U.S. and Japan, according to Trend Micro.
To compromise routers the threat actors behind the campaign first lure victims to websites containing the malicious script. When someone lands on such sites, the browser script performs a brute-force attack on the underlying home router to try and gain access to its administrative interface.
If it gains access, the script sends a single HTTP request to the router with a malicious DNS server IP address, Trend Micro senior threat researcher Fernando Merces said in a blog post Thursday. “Once the malicious version replaces the current IP address, the infection is done,” he wrote.
“Except for the navigation temporary files, no files are created in the victim machine, no persistent technique is needed and nothing changes.”
After that, all traffic that passes through the compromised router is redirected to the malicious DNS server IP address where the attackers can intercept any data they wish.
For example, if a user tries to access a legitimate banking site they could be redirected to a spoofed version of the site from where the attackers would be able to steal their user credentials, PINs, passwords and other data, Merces wrote.
“Modified DNS settings mean users do not know they are navigating to clones of trusted sites. Users that don’t change the default credentials are highly vulnerable to this kind of attack,” he said.
Christoper Budd, global threat communication manager at Trend Micro says the latest malware is another sign of the growing interest in DNS hijacking among criminal hackers.
In the past, attackers have typically tended to do this by tampering with the DNS settings on a victim’s computer. But attacks against home routers are more effective because it gives criminals a way to intercept data from all devices connected to the router.
By just tampering with the DNS settings on the home router once, an attacker can literally own all traffic from all devices connected to the router, including smartphones, tablets, PCs and notebooks, he said. Having a compromised router eliminates the need for an attacker to compromise multiple other devices on the same network, he said.
“We are definitely seeing DNS as the new soft spot in a variety of attacks,” Budd says. “As end points have become more and more secure, the bad guys have tried finding something that is new and soft,” to attack. “DNS is proving to be softer than the end points,” for the moment at least he says.