Researchers have discovered a DNS Hijacking campaign targeting Brazilian Banks customers.
Hackers are targeting DLink DSL modem routers to change the DNS Setting to a malicious DNS server which is under hackers control.
This allows hackers to steal users login credential by redirecting users who try to connect with their banking website to a cloned fake bank website.
The researchers from Radware who discovered the cyber attack said that they have been tracking the campaign since June 8.
“The research center has been tracking malicious activity targeting DLink DSL modem routers in Brazil since June 8th. Via old exploits dating from 2015, a malicious agent is attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server.”
You may be interested in reading: Researchers Discovered Critical Flaws in Leading mPOS Devices
The malicious DNS server hijacks requests and redirects them to a fake cloned website hosted on the same DNS server, and malicious DNS servers used in this attack are 22.214.171.124 and 126.96.36.199
The two DNS servers redirect the online banking website for Banco de Brasil (www.bb.com.br) and Itau Unibanco (hostname www.itau.com.br) to a fake cloned websites.
The attackers perform this hijacking without any user interaction, and they carried out Phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser. Hackers have been seen using this technique since 2014. “In 2016, an exploit tool known as RouterHunterBr 2.0 was published on the internet and used the same malicious URLs, but there are no reports that Radware is aware of currently of abuse originating from this tool.”
In the fake cloned website users will be asked to enter the bank agency number, account number, and an eight-digit pin and then ask mobile number, card pin, and a CABB number for confirmation.
The only indicator for users to understand this is a fake website is the invalid SSL certificate. The browser will show it is not a secure connection and user needs to confirm the not secure exception to access the website.
“The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, the user can type in the URL manually or even use it from mobile devices, such as a smart phone or tablet. The user will still be sent to the malicious website instead of to their requested website and the hijacking effectively works at the gateway level.” said in the post published by Radware researchers.
Researchers have alerted all the banks about the campaign, and the malicious site has been taken down. Users can check their routers configured DNS servers thorugh this website http://www.whatsmydnsserver.com/
You may be interested in reading: DeepLocker- a new AI powered Highly Targeted and Evasive Malware