Sorry, but this post is not available in English

20 March 2015 Łukasz Siewierski

Read more

Another year, another wave of home router hacks

11 March 2015 alex

While researching incidents that are reported to us, we encountered a new campaign of attacks against Internet banking, this time utilizing hacked home routers.

This is a variant of a method we have first observed more than a year ago. The criminals take over control of a home router and change the DNS settings so that instead of ISP-provided DNS server addresses, devices obtaining DNS settings from the router use criminals’ DNS server.

The criminal DNS server works the same way as the legit one, with one exception – when a customer connects to Internet banking service, the browser is directed to criminals’ provided proxy server that intercepts the traffic between the user and the bank. The connection between the user and the proxy is downgraded from HTTPS to HTTP so the criminals can intercept banking credentials and steal funds from the bank

What is new is that connections between the proxy and the banking service are not direct, but are routed through the hacked routers, so from the point of view of the bank they are coming from typical consumer connectivity address ranges and thus raise no suspicions.

The routers are hacked by brute-forcing passwords of administrative interfaces (Telnet, SSH, WWW) reachable from the Internet.

To protect yourself from this kind of attack, disable WAN access to the router’s administration web panel.

Indicators of compromise: hacked routers distribute other than ISP-provided IP addresses as DNS addresses for devices that use DHCP network configuration. Recent examples of malicious DNS servers: and Please report such occurances using our incident report form.


ENISA publishes report on actionable information

19 January 2015 pp


A new report prepared by CERT Polska was published by ENISA (European Network and Information Security Agency) today: “Actionable Information for Security Incident Response”. This publication is aimed at members of the incident response teams and everyone that collects, analyzes and shares security-related information.

Read more

iBanking is back in Poland

16 January 2015 Łukasz Siewierski

CyberROAD – Invitation to participate in the project survey

31 December 2014 przemek

Server-side n6 code released as open-source

29 December 2014 pp

Banatrix – an indepth look

15 December 2014 Łukasz Siewierski