A DNS hijacking campaign has been discovered targeting Banco de Brasil and Itau Unibanco customer credentials through the end-user IoT devices.
Radware researchers said this is the first time modems and routers have been remotely exploited for performing DNS hijacking and as a result of the compromise any device with internet access in the home of an affected user is prone to be redirected to the fake websites, according to an Aug. 10 advisory from the firm.
All the while, the user is completely unaware of the change since the hijacking works without crafting or changing URLs in the user's browser.
The attack redirects users seeking popular financial site, such as those used to pay a bill or check a bank statement, to a phishing site instead. Researchers said the malicious DNS server controlling the attacks effectively becomes the middleman that provides the malicious actor with the flexibility to bring up fake portals and web fronts to collect sensitive information from users whose routers were infected.
“Using a global network of honeypots, researchers discovered malicious servers attempting to reconfigure vulnerable IoT devices in Brazil using an unauthenticated remote configuration url which changes the DNS server settings of the modems/routers and resulting in all name resolution within the home of the affected consumers to be routed through malicious DNS servers,” the firm said in the advisory.
“The malicious DNS servers were set up as such to respond like any ISP DNS server for most of the queries with the exception of two hostnames owned by two of the largest financial institutions in Brazil.”
These attacks are unique because while most IoT botnets are used to perform DDoS attacks, mine cryptocurrency, provide anonymizing proxy services to conceal attacks, and collect confidential information, these attacks target the IoT device owner rather than other entities.
Radware has notified the targeted banks that were being spoofed in the malicious campaign and is working with the cloud provider hosting the malicious DNS and websites to take down the servers responsible for the attacks.
In order to protect themselves, users are instructed to remain vigilant in their cyber endeavors and pay attention to browser warnings notifications explicitly warn when users are not on secure connections and when the certificate of the site does not match the bank's hostname.
Users should also ensure their devices always remain up to date.