14 DAY TRIAL // Security researchers from Poland’s Computer Emergency Response Team (CERT Polska) have observed an interesting attack aimed at online banking customers. It appears that cybercriminals are exploiting vulnerabilities in home routers in order to hijack their DNS settings and lure users to fake bank websites.
What’s interesting about this type of attack is that it doesn’t matter what type of device victims are using, they still get redirected to the phishing sites.
In fact, the attacks were first reported in late 2013 after iPhone users were presented with pages on which they had to enter their mTANs. This resembled an attack in which a threat such as ZeuS might be involved.
However, it turns out that ZeuS hasn’t been ported to iOS yet. Instead, cybercriminals hijacked the DNS settings of home routers and changed them so that when users visit a bank’s website they’re redirected to a phishing page.
The malicious websites mimic the banks’ genuine sites. However, they’re hosted on different domain names and they don’t use HTTPS connections. These are the only signs that could help users tell the fake sites apart from the real ones.
“The attack is possible due to several vulnerabilities in home routers that make DNS configuration susceptible to unauthorized remote modifications. The effects propagate to all users in local networks, regardless of hardware and system platform (provided they acquire DNS configuration from the router),” CERT Polska experts noted.
“In the resulting man-in-the-middle attack content of several e-banking websites is altered to include javascript injects that tricked users into giving up their usernames, passwords and TANs. Effectively, money is stolen from users’ bank accounts.”
Users in Poland who experience such attacks are advised to file a report with the CERT. In order to check if they’re impacted, internauts can verify their routers to see if the DNS servers are correct.
It’s not difficult to protect yourself against such attacks. Make sure your router’s interface is not accessible via the Internet, change default access credentials, and update the device’s firmware if an update is available.