Windows 10 News and info | Forum
April 26, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Hackers Exploiting DLink Routers to Redirect Users to Fake Brazilian Banks  (Read 143 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 29943

I Do Windows

WWW Email
« on: August 12, 2018, 07:10:49 PM »

Attackers are targeting DLink DSL modem routers in Brazil and exploiting them to change the DNS settings to a DNS server under the attacker's control.

This then allows them to redirect users attempting to connect to their online banks to fake banking websites that steal the user's account information.

According to research by Radware, the exploit being used by the attackers allows them to perform remote unauthenticated changes to DNS settings on certain DLink DSL modems/routers. This allows them to easily scan for and script the changing of large amounts of vulnerable routers so that their DNS settings point to a DNS server under the attacker's control.

When a user tries to connect to a site on the Internet, they first query a DNS server to resolve a hostname like to an IP address like Your computer then connects to this IP address and initiates the desired connection. By changing the name servers used on the router, users will be redirected to fake and malicious sites without their knowledge and think they are legitimate and trustworthy.

The malicious DNS servers used in this attack were and These servers allowed the online banks for Banco de Brasil ( and Itau Unibanco (hostname to be redirected to fake clones.

"Unique about this approach is that the hijacking is performed without any interaction from the user," stated Radware's research. "Phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the userís browser have been reported as early as 2014 and throughout 2015 and 2016. In 2016, an exploit tool known as RouterHunterBr 2.0 was published on the internet and used the same malicious URLs, but there are no reports that Radware is aware of currently of abuse originating from this tool."

When users visit the fake websites, they will look almost identical to the original banking site. At the fake site, though, they will be asked for the bank agency number, account number, eight-digit pin, mobile phone number, card pin, and a CABB number. This information is then collected by the attackers.

Example of Fake Cloned Bank Site (Source: Radware) click to enlarge 1285x684

The only indication that something may be wrong will be that the browser will indicate that it is "Not Secure" as shown in the image above or there will be certificate warnings as shown below.

Certificate Warning on Fake Site

As you can see, this type of attack is quite dangerous as there are no phishing emails and no changes on the user's computer. Instead, everything is done on the router itself, so to the user, everything looks fine.

"The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the userís browser," Radware further stated in the report. "A user can use any browser and his/her regular shortcuts, the user can type in the URL manually or even use it from mobile devices, such as a smartphone or tablet. The user will still be sent to the malicious website instead of to their requested website and the hijacking effectively works at the gateway level."

After learning about this new campaign, Radware had notified the banks and all of the malicious sites have since been taken offline.

For users who may be concerned that they are a victim of this type attack, Radware recommends you use the site to check your router's configured DNS servers. You can then determine if there are servers that look suspicious as they will not be owned or assigned by your Internet service provider.

« Last Edit: August 12, 2018, 07:12:10 PM by javajolt » Logged

Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page March 31, 2019, 11:53:41 AM