While researching incidents that are reported to us, we encountered a new campaign of attacks against Internet banking, this time utilizing hacked home routers.
This is a variant of a method we have first observed more than a year ago. The criminals take over control of a home router and change the DNS settings so that instead of ISP-provided DNS server addresses, devices obtaining DNS settings from the router use criminals’ DNS server.
The criminal DNS server works the same way as the legit one, with one exception – when a customer connects to Internet banking service, the browser is directed to criminals’ provided proxy server that intercepts the traffic between the user and the bank. The connection between the user and the proxy is downgraded from HTTPS to HTTP so the criminals can intercept banking credentials and steal funds from the bank
What is new is that connections between the proxy and the banking service are not direct, but are routed through the hacked routers, so from the point of view of the bank they are coming from typical consumer connectivity address ranges and thus raise no suspicions.
The routers are hacked by brute-forcing passwords of administrative interfaces (Telnet, SSH, WWW) reachable from the Internet.
To protect yourself from this kind of attack, disable WAN access to the router’s administration web panel.
Indicators of compromise: hacked routers distribute other than ISP-provided IP addresses as DNS addresses for devices that use DHCP network configuration. Recent examples of malicious DNS servers: 126.96.36.199 and 188.8.131.52. Please report such occurances using our incident report form.
A new report prepared by CERT Polska was published by ENISA (European Network and Information Security Agency) today: “Actionable Information for Security Incident Response”. This publication is aimed at members of the incident response teams and everyone that collects, analyzes and shares security-related information.