Attackers are targeting DLink DSL modem routers in Brazil and exploiting them to change the DNS settings to a DNS server under the attacker's control. This then allows them to redirect users attempting to connect to their online banks to fake banking websites that steal the user's account information.

According to research by Radware, the exploit being used by the attackers allows them to perform remote unauthenticated changes to DNS settings on certain DLink DSL modems/routers. This allows them to easily scan for and script the changing of large amounts of vulnerable routers so that their DNS settings point to a DNS server under the attacker's control.

When a user tries to connect to a site on the Internet, they first query a DNS server to resolve a hostname like www.google.com to an IP address like 172.217.11.36. Your computer then connects to this IP address and initiates the desired connection. By changing the name servers used on the router, users will be redirected to fake and malicious sites without their knowledge and think they are legitimate and trustworthy.

The malicious DNS servers used in this attack were 69.162.89.185 and 198.50.222.136. These servers allowed the online banks for Banco de Brasil (www.bb.com.br) and Itau Unibanco (hostname www.itau.com.br) to be redirected to fake clones.

"Unique about this approach is that the hijacking is performed without any interaction from the user," stated Radware's research. "Phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser have been reported as early as 2014 and throughout 2015 and 2016. In 2016, an exploit tool known as RouterHunterBr 2.0 was published on the internet and used the same malicious URLs, but there are no reports that Radware is aware of currently of abuse originating from this tool."

When users visit the fake web sites, they will look almost identical to the original banking site. At the fake site, though, they will be asked for the bank agency number, account number, eight-digit pin, mobile phone number, card pin, and a CABB number. This information is then collected by the attackers.

Example of Fake Cloned Bank Site (Source: Radware)

The only indication that something may be wrong will be that the browser will indicate that it is "Not Secure" as shown in the image above or there will be certificate warnings as shown below.

Certificate Warning on Fake Site

As you can see, this type of attack is quite dangerous as there are no phishing emails and no changes on the user's computer. Instead everything is done on the router itself, so to the user everything looks fine.

"The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser," Radware further stated in the report. "A user can use any browser and his/her regular shortcuts, the user can type in the URL manually or even use it from mobile devices, such as a smart phone or tablet. The user will still be sent to the malicious website instead of to their requested website and the hijacking effectively works at the gateway level."

After learning about this new campaign, Radware had notified the banks and all of the malicious sites have since been taken offline.

For users who may be concerned that they are a victim of this type attack, Radware recommends you use the http://www.whatsmydnsserver.com/ site to check your router's configured DNS servers. You can then determine if there are servers that look suspicious as they will not be owned or assigned by your Internet service provider.