Exploiting DLink Routers

Hackers have adopted a clever approach to swindle users of their hard earned money without letting them have a slightest clue.

The loopholes in the DLink DSL modem routers have been ingeniously leveraged by cyber miscreants to deceive users.

Let us check the process of handling user based queries & requests for web pages and routines over internet after we get acquainted with the following terms:

DSL (Digital Subscriber Line): High Speed digital data transfer between servers and systems using telephone lines.

DNS Server (Domain Name System ): It is a service on multiple servers  to resolve the browsing URL that the user inputs to IP (Internet Protocol) Addresses where the website is found.

Let us now proceed and understand how a web page is displayed when a user inputs a URL

Every single URL on the internet has an IP address assigned to it. The IP address points to the computer that hosts the server of the website we are requesting to access.

When a user enters a URL (website address), the request is made to a DNS server. The DNS server resolves a host-name like www.gmail.com to the corresponding IP address like 172.217.167.37. Your computer then connects to the IP address to establish the desired connection.

Exploiting DLink Routers – How are DLink Routers exploited to Redirect Users to Fake Brazilian Banks?

The age old vulnerabilities in the configuration of DLink modem routers are exploited by cyber maniacs to redirect users to fake banking websites and steal their login credentials.

The flaw in the Dlink routers allows attackers to remotely configure the DNS server. Hence when a user inputs URL, these modified settings of the server redirect them to a fake page instead of an actual one.

Researchers at Radware, a security firm have recently unveiled that attackers are exploiting vulnerabilities in Link DSL modem routers to direct  user queries trying to visit two Brazilian bank sites – Banco de Brasil (www.bb.com.br) and Itau Unibanco (hostname www.itau.com.br) to malicious fake clones of the sites.

The web pages looked legitimate and identical to the original websites. The fake web page demands for bank account number, mobile number, card pin and eight digits pin. When the user enters the data, this information is captured and sent to hackers.

The malicious DNS servers used in this attack were 69.162.89.185 and 198.50.222.136.

What makes the attack hard to catch?

The attack (Exploiting DLink Routers) is insidious as users don’t get to know about the modified/suspicious web page as the hijacking is performed without any user interaction. It doesn’t involve an email or something that user can suspect and report or avoid clicking on.

As a result, the users were getting redirected to the malicious web pages irrespective of the devices, browsers, modes and links used to access the original sites.

How to identify the malicious act?

Banking websites are always secured by high end technology using HTTPS protocol. However, these forged websites were deemed ‘NOT SECURE’.

Users received certificate warnings when they attempted to access these illegitimate web pages.

It is advised that users should check their router’s configured DNS server settings to identify any suspicious acts or setting changes.

Hits: 158