Delaware, USA – August 14, 2018 – Hackers compromise D-Link DSL routers in Brazil and change the DNS settings so that devices connect to attackers’ DNS servers. This scheme allows attackers to redirect targeted users to phishing websites, practically indistinguishable from real ones. The only visible difference is the browser marks pages as insecure so users can guess about their malicious purposes. Attackers exploit a vulnerability in certain models of D-Link DSL that allows changing DNS settings without any authentication remotely. Experts from Radware reported that attackers use malicious DNS servers 220.127.116.11 and 18.104.22.168 and they targeted users of banks Banco de Brasil and Unibanco. Using this scheme, attackers can steal the account number, eight-digit PIN-code, card PIN, phone number, etc.
There are hundreds of thousands of vulnerable devices in the world. For example, the recent massive cryptojacking campaign targeted MikroTik routers started in Brazil and quickly spread to routers around the world. Detecting the result of malicious interference is difficult; however, using SIEM and DNS Security Check use case, you can find changes to the DNS settings before any sensitive data is stolen.