An ongoing DNS hijacking campaign significantly increased its activity this past September, leveraging over 100,000 compromised home routers in order to redirect Brazilian e-banking customers to phishing web pages.

Previously reported on last August by Radware, the campaign uses a remote configuration URL to modify the DNS server settings of exploited networking devices so that unsuspecting users are sent to phishing sites where they are asked to enter their banking credentials.

This past weekend, Qihoo 360’s Netlab team chimed in on the threat, which it calls GhostDNS, noting in a blog post that the campaign involves 52 hijacked domain names, at least 19 confirmed phishing pages, and more than 70 exploited router and firmware models. Some of the targeted domains belong to financial institutions like Citibank and Banco do Brasil, while others are owned by Avira antivirus software and Netflix.

Netlab says that GhostDNS’ activity picked up heavily beginning on Sept. 20, with a host of new scanners seeking out vulnerable routers whose passwords could be brute-force guessed or whose authentication process could be bypassed.

The attack involves four components: a “DNSChanger” malware program that conducts information collection and exploitation, a web phishing module, a rogue DNS server and what appears to be a web admin module.

According to Qihoo, the DNSChanger module can be broken down into three separate versions based on the Shell Code, Javascript, and the Python and PHP programming languages.

The PyPhp (Python/php) version is the most commonly used, as it has been deployed on over 100 servers, most of which reside on Google Cloud, Qihoo reports. It is comprised of a Web API that controls the program, a scanner and an attack module that includes 69 attack scripts for 47 different devices and firmwares.

The scanner seeks out targeted router IPs in Brazil, passing those along to the attack module, which uses both brute-force attacks and an authentication exploit to achieve device compromise.

Qihoo notes that one of the PyPhp DNSChanger nodes included the aforementioned apparent web admin module; however, researchers don’t know much about this component yet.

Meanwhile, the Shell version contains 25 attack scripts and can infect 21 devices and firewares, using the Fast HTTP Auth Scanner to scan for routers and then leveraging these devices’ information to crack their web authentication passwords. 

By comparison, the Js version has 10 attack scripts and affects six devices and firmware programs. It is typically injected into phishing websites and works in conjunction with the aforementioned phishing web system. In its post, Qihoo explains how the module’s scanners look for open intranet IP addresses typically used by routers, then pass those IPs along to a payload generator that creates a payload based on the router IP and Rogue DNS IP. Next, the module hijacks the DNS through a series of password guesses via https requests.

“The GhostDNS system poses a real threat to [the] Internet. It is highly scaled, utilizes diverse attack vector[s], [and] adopts [an] automated attack process,” reads the Qihoo report. “We recommend the broadband users in Brazil to update their router systems, check if the router’s default DNS server is changed and set more complicated password[s] for [the] router web portal. We also recommend the router vendors to increase the complexity of router default password[s] and enhance the system security update mechanism for their products.”