Only the primary DNS address points to rogue server

Feb 27, 2015 17:30 GMT  ·  By

A small phishing email campaign has been deployed in Brazil with the purpose of compromising specific home router models and altering the DNS (domain name system) settings.

DNS servers are used to translate the domain names into the IP addresses of websites. Routers from ISPs (Internet Service Providers) are configured to point to valid machines administered by them in order to retrieve the correct content.

By changing the IP address of a DNS server on a router, an attacker causes the DNS requests to be directed to their own servers and thus be able to deliver whatever page they want, while the address bar in the web browser shows the address entered by the victim (pharming attack).

Brute-force log-in attempted on the router

The messages delivered through the campaign contain a link to a malicious page that runs a cross-site request forgery (CSRF) attack on the router’s page by calling IP addresses commonly used for accessing the device’s web-based  administration console.

The URL includes an iframe with code designed to attempt to log-in by using a set of predefined credentials. If access is obtained, the primary DNS address is altered to one provided by the attacker, and the second one to a legitimate, public one.

This tactic reduces the chance of discovery because the DNS queries are resolved correctly when the rogue server is down.

Small number of phishing emails detected

Security researchers at Proofpoint discovered the campaign and say that it presents some oddities, one of them being the use “of phishing as the attack vector to carry out a compromise traditionally considered purely network-based.”

They say that less than 100 emails have been observed from December 2014 until mid-January 2015, all of them directed at organizations and Brazilian users connecting to the web through UTStarcom TP-Link routers.

One of the emails analyzed claimed to be from Telemar Norte Leste, the largest telecommunications company in Brazil, and it was intended to compromise a router it distributed to customers.

In a blog post on Thursday, Proofpoint said that this type of attack offers cybercriminals an easier way to misdirect victims to fraudulent pages as they do not have to compromise a public DNS, which is significantly more difficult to achieve.

The risks involved range from landing on malicious pages and having sensitive information (such as credentials for online accounts) intercepted to hijacking search results and delivery of malicious software.

Pharming attack (2 Images)

Phishing email with link to CSRF attack page
Brute-force code included in the malicious iframe
Open gallery