Last week, Radware’s Threat Research Centre identified a hijacking campaign aimed at Brazilian Bank customers through their IoT devices, attempting to gain their bank credentials.
The research centre had been tracking malicious activity targeting D-Link DSL modem routers in Brazil since June 8th. Through known old exploits dating from 2015, a malicious agent has been attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server.
The malicious DNS server is hijacking requests for the hostname of Banco de Brasil (www.bb.com.br) and redirecting to a fake, cloned website hosted on the same malicious DNS server, which has no connection whatsoever to the legitimate Banco de Brasil website.
Itau Unibanco, another Brazilian financial institution, hostname (www.itau.com.br) is also being redirected, although not backed by a cloned website for now. For all other DNS requests, the malicious server works as a forwarder and resolves just as an ISP DNS server would.
The malicious DNS server set up by the hackers becomes an effective man-in-the-middle that provides the malicious actor with the flexibility to bring up fake portals and web fronts to collect sensitive information from users whose routers were infected. Unique about this approach is that the hijacking is performed without any interaction from the user.
Phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser have been reported as early as 2014 and throughout 2015-2016. In early 2016 an exploit tool known as RouterHunterBr 2.0 was published on the internet and used the same malicious URLs, but there are no reports that we are aware of to date of abuse originating from this tool.
The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, he or she can type in the URL manually or even use it from mobile devices such as iPhone, iPad, Android phones or tablets. He or she will still be sent to the malicious website instead of to their requested website, so the hijacking effectively works at the gateway level.
All of Radware’s São Paulo-based honeypots captured these attempts, without exception. The rest of the global deception network did not capture any of these attempts, meaning the malicious agent was focusing his attack on Brazilian targets only, trying to increase efficiency while staying under the radar from honeypots outside of Brazil.
When trying to access the account through the fake cloned website, the user is presented with a form asking for the bank agency number, account number and an eight-digit pin. Next, the fake site requires confirmation of identity by asking users to provide mobile phone, card pin, and a CABB number.
Impact to end-users
The banks referenced above were not directly attacked nor breached, however their users can suffer financial and private data losses through this malicious hijacking attack. The ‘only’ indicator for the user is the invalid certificate which all modern browsers clearly indicate when using secure connections. It is not even possible to access the website without explicitly confirming the “Not Secure” exception.
However, the malicious website, unlike the original website, does allow unsecure connections. If the user, for some reason, bookmarked or typed an unsecured URL (http:// instead of https://), the malicious website will happily stay in unsecure connection and there will be no visible warning for the user.
Another impact on the victims will occur when the malicious DNS server goes offline or is taken down. The attacker is attempting to modify both primary and secondary name servers with the same malicious server IP, meaning that when the malicious server is offline, all infected homes will fail to further resolve any hostnames and their internet will be virtually inaccessible until the users manually update their router settings, or the ISP overrides the settings.
The targeted banks have been notified as soon as we discovered the hijacking. Radware worked closely with the Cloud Provider hosting the malicious DNS and web sites and is happy to report that the servers were taken offline.
Only modems and routers that were not updated in the last two years can be exploited. An update will not only protect the owner of the device but also prevent devices from being enslaved for devastating DDoS attacks or used to conceal targeted attacks.
All modern browsers clearly indicate an issue with the certificate of the fake website when using secure connections. These warnings should never be ignored, and exception pop-ups should not be approved without further consideration or investigation. When facing such situations, users should be urged to contact the helpdesk of the organisation they were trying to access.
We’ve witnessed consumer IoT devices being enslaved in botnets devised to perform devastating DDoS attacks, mine cryptocurrency, provide anonymising proxy services to conceal attacks and collect confidential information.
Most of the activities related to IoT malware victimising consumers’ IoT devices are not directed at the device owners. Owners are mostly unaware, or they don’t care as long as the primary function of the device is not compromised.
BrickerBot was the first exception, forcing users to care by bricking their devices if they didn’t and got infected with IoT malware.
This new attack which targets the IoT device owner, attempting to obtain their sensitive data is another reason for consumers to care about the state of their devices and ensure best practices are met while buying from vendors that meet and demonstrate secure standards in the development of their devices.
Pascal Geenens, EMEA Security Evangelist, Radware
Image source: Shutterstock/Ai825