Is Your Router Safe from a DNS-Based Attack?

We all know what Phishing is—a target is contacted by email, telephone, or text message by someone posing as a legitimate institution or website to lure individuals into providing sensitive data such as banking or credit card credentials. The problem is that people have now become wiser and think twice before clicking.

A group of hackers has now found a new way to lure victims to spoof websites without them having to click on anything suspicious. This new form of attack corrupts the Domain Name System (DNS) of home network routers causing victims to be
re-directed to their phishing website.  

The function of the DNS service is to translate a recognizable domain name, such as example.com into an IP address. Communication between your computer and example.com is then passed through the Internet based on this IP address. What if every time a victim clicked on the bookmark for their bank—the real URL of the bank— the DNS system provided the address of the phishing web site instead? These phishing websites are normally close-to-accurate replicas of the target bank’s website. In addition, they even open a session identical to the real bank on behalf of the victim, based on the user name and password that they just entered. These sessions show the target’s actual account balance, so the victim has no reason to suspect that something has gone wrong.

The latest DNS hack, which targeted the customers of two of the largest banks in Brazil—Banco do Brasil and Itau Unibanco, aimed at vulnerabilities in bank users’ home router devices. As recent events have shown, home routers are notoriously susceptible to hacking, due to their typically low level of internal security.

By using an attack called DNS Hijacking on a home router, the hackers were able to replace the legitimate IP addresses of these bank web sites with the IP addresses of the phishing web site to which the unsuspecting victim was then diverted.

The DNS-based attacks on Banco do Brasil and Itau Unibanco were carefully crafted to redirect bank customers towards the malicious websites. Once the credentials of the customer were obtained, a new session to the actual bank was opened so that live data such as the bank account balance could be retrieved and presented to the victim. The bank users were totally unaware of this activity as the web page URL remained unchanged.

Several Internet browsers do contain built-in security warnings that could be ignored by the end user. For example, Google’s Chrome browser will display a warning that something is suspicious with the DNS activity. Another alert is produced when a secure site contains an initial “http” string at the beginning of a URL in place of the secure “https”.

The faked Banco do Brasil web pages phished bank customers for their:

  • Bank Agency number
  • Account number
  • 8-digit PIN
  • Mobile phone number
  • Payment card PIN

Once in the hands of the cybercriminals, any of those data items could be used to access the bank customer’s account and steal their funds. Fortunately, the fake sites were removed, and to clean the cache all that was required was a manual reset of the router by the users themselves, or by their ISP.

Network routers such as the ones hacked in the Brazilian bank attacks are only one item in a group of IoT devices that are difficult to patch, and in many cases, are no longer supported by the original manufacturers. IoT devices, including communication hardware, consumer devices, and household appliances in particular, are creating a growing vulnerability surface targeted by hackers. The unfortunate fact is that most Internet users are not tech-savvy, and only very few of them will consistently maintain any formal or robust password policy. This suggests that the most effective way to protect against DNS or any other form of IoT attack is by placing the responsibility for Internet security in the hands of the ISP that possesses the tools and experience to mitigate these forms of attack.

With a track record built on proven success with the world’s largest deployed network-based security service, Allot’s Home Secure provides security for home IoT, smart appliances, and home offices.



*** This is a Security Bloggers Network syndicated blog from Allot Blog authored by Moshe Elias. Read the original post at: https://allot.com/blog/dns_attack/