Email-Based Pharming Attack Exploits Router Flaws

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
DNS servers are used to translate the domain names into the IP addresses of websites. Routers from ISPs (Internet Service Providers) are configured to point to valid machines administered by them in order to retrieve the correct content.

By changing the IP address of a DNS server on a router, an attacker causes the DNS requests to be directed to their own servers and thus be able to deliver whatever page they want, while the address bar in the web browser shows the address entered by the victim (pharming attack).
Brute-force log-in attempted on the router
The messages delivered through the campaign contain a link to a malicious page that runs a cross-site request forgery (CSRF) attack on the router’s page by calling IP addresses commonly used for accessing the device’s web-based administration console.

The URL includes an iframe with code designed to attempt to log-in by using a set of predefined credentials. If access is obtained, the primary DNS address is altered to one provided by the attacker, and the second one to a legitimate, public one.

This tactic reduces the chance of discovery because the DNS queries are resolved correctly when the rogue server is down.
Small number of phishing emails detected
Security researchers at Proofpoint discovered the campaign and say that it presents some oddities, one of them being the use “of phishing as the attack vector to carry out a compromise traditionally considered purely network-based.”

They say that less than 100 emails have been observed from December 2014 until mid-January 2015, all of them directed at organizations and Brazilian users connecting to the web through UTStarcom TP-Link routers.

One of the emails analyzed claimed to be from Telemar Norte Leste, the largest telecommunications company in Brazil, and it was intended to compromise a router it distributed to customers.

In a blog post on Thursday, Proofpoint said that this type of attack offers cybercriminals an easier way to misdirect victims to fraudulent pages as they do not have to compromise a public DNS, which is significantly more difficult to achieve.

The risks involved range from landing on malicious pages and having sensitive information (such as credentials for online accounts) intercepted to hijacking search results and delivery of malicious software.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top