Researchers at DDoS protection specialist
Radware have uncovered an attack aimed at Brazilian bank customers that seeks to steal credentials via a compromised router.
It employs malware that targets DLink DSL modem routers using exploits dating back to 2015. A malicious agent attempts to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious server.
The malicious DNS server is then hijacking requests for the host name of Banco de Brasil and redirecting to a fake, cloned website hosted on the same malicious DNS server, which has no connection whatsoever to the legitimate Banco de Brasil website.
Another Brazilian financial institution, Itau Unibanco, is also being redirected, although does not -- as yet -- have a cloned website. For all other DNS requests, the malicious server simply works as a forwarder and resolves just as an ISP DNS server would.
"This new attack is directly impacting the owners of IoT devices: the consumers," says Radware cybersecurity evangelist Pascal Geenens. "We have seen many different attacks on IoT devices and botnets enslaving these vulnerable, unmanaged devices in past, but most were not affecting the consumer directly. As long as their routers were still connecting them to the world wide web, consumers didn't really care that their devices were involved in devastating DDoS attacks on online businesses or that their devices were helping to conceal targeted attacks of nation state-sponsored hackers. After BrickerBot, this is the second warning to consumers to start caring, be aware of the risks."
