{"id":13221,"date":"2019-04-29T11:33:20","date_gmt":"2019-04-29T15:33:20","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/hacked-routers-dns-hijacking\/13221\/"},"modified":"2019-11-15T15:22:19","modified_gmt":"2019-11-15T11:22:19","slug":"hacked-routers-dns-hijacking","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/hacked-routers-dns-hijacking\/13221\/","title":{"rendered":"Phishing without borders, or why you need to update your router"},"content":{"rendered":"

What is the most common threat across cyberspace these days? It\u2019s still phishing<\/a> \u2014 there\u2019s nothing new under the sun. But today\u2019s router-based phishing doesn\u2019t require you to fall for a hoax e-mail message. In fact, you can follow a whole bunch of standard rules<\/a> \u2014 avoid using public Wi-Fi, hover over links before clicking, and so forth \u2014 but in the situation we discuss here, those rules won\u2019t help. Let\u2019s take a closer look at phishing schemes that involve hijacked routers.\n<\/p>

How routers end up being hijacked<\/h2>\n

In general, there are two basic ways to hijack a router. The first approach is to take advantage of default credentials. You see, every router has an administrator password \u2014 not the one you use to connect to your Wi-Fi, the one you use to log in to the router\u2019s administrator panel and to change its settings.<\/p>\n

Although users can change the password, most leave it unchanged. And when we keep the default password set by a router\u2019s manufacturer, outsiders can guess \u2014 or sometimes even Google \u2014 it.<\/p>\n

The second approach is to exploit a vulnerability in a router\u2019s firmware (of which there is no shortage) that allows a hacker to take control of the router without any password at all.<\/p>\n

Either way, criminals can do their thing remotely, automatically, and on a massive scale. Hijacked routers can provide diverse benefits, but the one we\u2019re going to focus on here is phishing that is extremely hard to spot.<\/p>\n\n

How hijacked routers can be exploited for phishing<\/h3>\n

After taking over your router, attackers modify its settings. It\u2019s a tiny, unnoticeable change: They change the addresses of the DNS servers the router uses to resolve domain names. What does that mean, and why is it so dangerous?<\/p>\n

Thing is, the DNS (Domain Name System) is the pillar of the Internet. When you enter a website address in your browser\u2019s address bar, your browser doesn\u2019t actually know how to find it, because browsers and Web servers use numerical IP addresses, not the domain names that humans are used to. So, the act of getting to a website looks like this:<\/p>\n

    \n
  1. The browser sends a request to a DNS\u00a0server.<\/li>\n
  2. The DNS\u00a0server translates the website\u2019s address from human-readable form into its numerical IP address and tells it to the browser.<\/li>\n
  3. The browser now knows where to find the website and loads the page for you.<\/li>\n<\/ol>\n

    It all happens very quickly and behind the scenes. But when your router is hijacked and your DNS server addresses are changed, all of your requests go to a malicious DNS server that is controlled by attackers. Instead of returning the IP address of the site you want to visit, the malicious server returns a forged IP address. In other words, malefactors trick your browser \u2014 not you \u2014 into loading a phishing webpage instead of the site you were looking for. The scariest part is both you and your browser think the page is legit!<\/p>\n

    The Brazilian job: A phishing campaign with hijacked routers<\/h3>\n

    In the most recent wave<\/a> of this type of attack, hackers were taking advantage of security flaws in D-Link DSL, DSLink 260E, ARG-W4 ADSL, Secutech and TOTOLINK routers. The attackers compromised the devices and modified their DNS settings. Whenever the owners of the hijacked routers tried to access their online banking accounts or service providers\u2019 websites, the malicious DNS server under hijackers\u2019 control silently redirected them to phishing pages designed to steal their credentials.<\/p>\n

    During this campaign malefactors were going primarily after Brazilian users. They created fake sites mimicking the real ones of Brazilian financial institutions, banks, web hosting, and cloud computing providers based in Brazil.<\/p>\n

    The hijackers also targeted users of some of the largest Internet services, including PayPal, Netflix, Uber, and Gmail.<\/p>\n

    How to protect yourself from router-based phishing<\/h3>\n

    As we mentioned above, this kind of phishing is extremely hard to spot. However, the situation is not completely hopeless. We have a few tips:<\/p>\n

      \n
    1. Log in to the router\u2019s Web interface, change the default passwords, and disable remote administration and other dangerous settings<\/a>.<\/li>\n
    2. Keep your router firmware up to date: updates usually fix vulnerabilities. For some models, the updates are delivered automatically, but for others they must be installed manually. Check your router manufacturer\u2019s model info online to see how your router is updated.<\/li>\n
    3. Even when you\u2019re accessing a familiar website, keep an eye out for unusual details and unexpected pop-ups. Try to click around several sections of the site; even when the design of a phishing page is highly professional, it\u2019s almost impossible for malefactors to recreate an entire site with perfect fidelity.<\/li>\n
    4. Before typing in your credentials (or any sensitive data), make sure that the connections are secure (check the beginning of the URL for \u201chttps:\/\/\u201d to verify) and always check whether the name in the certificate matches the name of the entity. To do so, click the lock sign in the browser\u2019s address bar:<\/li>\n<\/ol>\n
        \n
      • In Internet Explorer or Edge you will see the certificate details you need right away.<\/li>\n
      • In Mozilla, you will then have to click Connection<\/em>.<\/li>\n
      • In Chrome, click the lock sign, then Certificate<\/em>, then General<\/em>, and check the Issued to<\/em> line.<\/li>\n<\/ul>\n\n","protected":false},"excerpt":{"rendered":"

        Cybercriminals are hijacking routers to steal people\u2019s credentials for online banking and services.<\/p>\n","protected":false},"author":2508,"featured_media":13222,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1486],"tags":[1785,79,187,76,1245,174],"class_list":{"0":"post-13221","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-dns-hijacking","10":"tag-online-banking","11":"tag-passwords","12":"tag-phishing","13":"tag-routers","14":"tag-wi-fi"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/hacked-routers-dns-hijacking\/13221\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/hacked-routers-dns-hijacking\/15685\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/hacked-routers-dns-hijacking\/17599\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/hacked-routers-dns-hijacking\/15745\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/hacked-routers-dns-hijacking\/14424\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/hacked-routers-dns-hijacking\/18340\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/hacked-routers-dns-hijacking\/17220\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/hacked-routers-dns-hijacking\/22671\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/hacked-routers-dns-hijacking\/5942\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/hacked-routers-dns-hijacking\/26802\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/hacked-routers-dns-hijacking\/12082\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/hacked-routers-dns-hijacking\/11758\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/hacked-routers-dns-hijacking\/10657\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/hacked-routers-dns-hijacking\/19078\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/hacked-routers-dns-hijacking\/23100\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/hacked-routers-dns-hijacking\/18323\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/hacked-routers-dns-hijacking\/22526\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/hacked-routers-dns-hijacking\/22463\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/phishing\/","name":"phishing"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2508"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=13221"}],"version-history":[{"count":4,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13221\/revisions"}],"predecessor-version":[{"id":14447,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13221\/revisions\/14447"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/13222"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=13221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=13221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=13221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}