100K Routers Hijacked for Phishing in GhostDNS Campaign

Security researchers warn about a massive attack campaign in which more than 100,000 routers had their DNS settings hijacked to redirect users to phishing websites.

The campaign has been dubbed GhostDNS and has been documented before, including by researchers from Radware in August. However, according to a new report from Qihoo 360’s Netlab, the attackers have significantly ramped up their efforts after Sept. 20, compromising more than 100,000 devices and hijacking traffic to more than 50 websites.

The GhostDNS hackers use what researchers call a DNSChanger module that’s made up of 100+ scripts capable of targeting more than 70 router models. Some of the scripts are written in Linux shell language, others in JavaScript and others in Python. Their goal is to gain access to devices by using brute-force attacks with default or weak credentials or through a known exploit for a component called dnscfg.cgi that’s found in some routers.

If successful in accessing a router, the scripts change its DNS settings so that it starts using a DNS resolver controlled by the attackers. Since most devices on a local area network rely on the network’s router for DNS resolution, the compromise allows attackers to redirect users to phishing pages when they try to access legitimate websites.

More than 87 percent of the routers compromised by GhostDNS are located in Brazil and the majority of the targeted websites belong to banks, suggesting the attack is primarily financially motivated. However, requests to cloud hosting services and even Netflix are also being hijacked through the rogue DNS server.

“The GhostDNS system poses a real threat to the internet,” the Qihoo Netlab researchers said in their report. “It is highly scaled, utilizes diverse attack vector[s], [and] adopts automated attack process. We recommend the broadband users in Brazil to update their router systems, check if the router’s default DNS server is changed and set more complicated password for router web portal.”

One defense against phishing through DNS hijacking is to always use HTTPS. Attackers shouldn’t be able to obtain legitimate certificates for domains that do not belong to them, so even if they serve a different website to the user’s browser, that session will not be protected through HTTPS.

It’s important for users to verify they are on the correct domain name and to check that the connection is secure by looking for the HTTPS visual indicators in browsers. There are also browser extensions, such as HTTPS Everywhere, that ensure connections to popular websites are always secure.

Meanwhile, website operators can add their sites to the HTTP Strict Transport Security (HSTS) preload list. This will force browsers to only accept HTTPS connections to their domain names, preventing so-called SSL/TLS stripping or downgrade attacks.

Roaming Mantis Mobile Attack Campaign Goes Global

Security researchers warn that a mobile attack campaign dubbed Roaming Mantis that primarily targeted users in Japan and South Korea has now expanded globally and gained support for 27 languages.

Roaming Mantis first appeared on security researchers’ radar in April when it used DNS hijacking through compromised routers to redirect Android users to malicious applications that posed as updates for legitimate apps.

Since then, the attacks have evolved and the hackers are now using multiple distribution methods, including spreading URLs to malicious apps through SMS messages and through documents hosted on the Prezi.com service.

According to a new report by researchers from Kaspersky Lab, the malware now supports 27 languages and this is reflected in the language setting found on victims’ devices. The predominant locale is “en-us” (39 percent), followed by “ko-kr” (18 percent) and “ru” (17 percent). The large number of devices with “en-us” locale might be because people in many countries prefer to use English menus on their phones even though it’s not their native language.

The Roaming Mantis malware is used to direct users to phishing sites and web-based cryptominers. For example, the researchers have recently observed the attackers experimenting with web-based cryptomining for iOS.

“Judging from the list of stolen credentials, the attackers seems to have stolen a large amount of data from victims worldwide,” the Kaspersky researchers said. “This gives us a glimpse of the real scale of the attack, but we believe that this is just a tip of the iceberg.”

“We strongly recommend that Android users turn off the option that allows installation of applications from third-party repositories, to keep their device safe,” the researchers said. “They should also be suspicious if their phones become unusually hot, which may be a side-effect of the hidden cryptomining application in action.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin