The website for one of Brazil’s biggest newspapers has been compromised with malware that tries to change the victim’s router DNS settings.
Web security company Securi published a report yesterday that Politica Estadao’s website was loading iFrames that carried out a brute-force attack against the victim’s home router’s admin credentials. A similar style attack was reported Sept. 2 by Kaspersky Lab researcher Fabio Assolini who said he spotted similar redirects leading victims to phishing sites posing as banks in Brazil.
“This ‘web-based’ approach was something new to Brazilian bad guys until now and we believe it will spread quickly amongst them as the number of victims increases,” Assolini wrote on the Securelist blog.
Assolini said the attacks he spotted start with a phishing email that tricks the victim into clicking on a malicious link, with most of the victims coming from Brazil and the U.S. The link takes the victim to a site hosting adult content while a malicious script runs in the background that could ask for the victim’s wireless access point credentials if it cannot guess their home router password.
Five domains and nine DNS servers were found in this attack hosting bank phishing sites, Assolini said. The methodology in the Estadao attack is not much different, Securi said.
“The payload was trying the user admin, root, gvt and a few other usersnames, all using the router default passwords,” said researcher Fioravante Souza of Securi.
The website was still compromised as of last night.
IFrame attacks are a popular hacker tool. Compromised websites generally load iFrames that redirect the victim’s browser to a website that either silently downloads more malware onto the hacked machine, or to a phishing website.
“We often spend time talking to web server infections, and drive by downloads, but we rarely talk to the other nefarious acts malicious actors can do. This is but one example of a wide range of actions available to the crackers,” Souza said.
Souza’s analysis points out that the hidden iFrame injection loads content from laspeores[.]com[.ar]. A second iFrame is then loaded and pulls content from a URL shortening service vv2[.]com. A third iFrame then loads, this one with malicious JavaScript that redirects to a third website, Souza said.
“The script is being used to identify the local IP address of your computer said,” Souza said. “It then starts guessing the router IP by passing it as a variable to another script.”
Hackers are well aware of the shortcomings of home and small business routers, most of which are woefully shy of appropriate patching levels, and are likely protected only by a default or weak password.
Therefore, an attacker able to redirect router traffic could carry out any number of additional attacks putting credentials, email, banking and other types of transactions at risk.
At the end of 2013, extensive man-in-the-middle attacks were at the core of a rash of home and small office router hacks where DNS settings were overwritten and DNS requests were redirected to malicious sites.
Team Cymru published a report on the attacks, citing evidence that more than 300,000 routers from leading manufacturers, including D-Link, TP-Link and others were involved. The researchers said the campaigns were similar to attacks against a number of banks in Poland in the spring, but are likely being conducted by separate hacker groups. Poland’s mBank was targeted by similar DNS redirection attacks, which attackers used to steal credentials for online accounts.
At the DEF CON conference last month, the SOHOpelessly Broken contest enumerated the security issues around SOHO routers. Fifteen zero-day vulnerabilities were disclosed and demonstrated during the contest, leading to seven full router compromises and another attack that could have led to corruption of the internal network. Tripwire researcher Craig Young was the big winner at the contest and told Threatpost that the routers lacked server authentication, and instead authenticated users on the browser. Compromising those passwords wasn’t difficult, he said.
This article was updated at noon ET with additional information from Kaspersky Lab.