Skip to main content

New hack exploiting router vulnerabilities discovered in Brazil

A new hacking technique was spotted in Brazil, using vulnerabilities in the user's home router to divert the victim to a fake site and steal his personal data.

The technique, first spotted by the security firm Proofpoint, exploits security flaws in home routers in order to get to the admin console. Then, the hackers change the routers' DNS (Domain Name System) settings, and thus can divert the unsuspecting victim to a fake site even if he types the right name in the browser.

This type of attack is known as pharming.

Pharming is not an easy task, though, as it requires access to an ISP’s or an organisation’s DNS servers. Those DNS systems are typically well-protected, but not home routers.

"Attackers use poisoned DNS servers to redirect address requests, usually for online banking sites, to a realistic but completely fraudulent site in order to harvest the online banking credentials of the unsuspecting end-user," Proofpoint writes.

"Pharming is generally a passive attack technique, in that it requires waiting for a DNS lookup from a potential victim to be routed to the poisoned server."

This type of attack means not only that the hacker can divert the victim to a site even if he types the address correctly, but it also means that the hacker can perform the man-in-the-middle attacks.

Such types of attacks mean the hacker can intercept emails, logins and passwords for websites, and hijack search results.

Over the course of four weeks, from December 2014 to mid-January 2015, Proofpoint researchers detected four distinct URLs distributed in a relatively narrow campaign of less than 100 email messages sent to a small number of organisations, and targeting primarily Brazilian users.

The attacks were aimed at customers who owned UTStarcom or TP-Link home routers.