New Router Exploit Auto-redirects to Rogue Sites
A security firm says hackers have hijacked 180,000 routers in Brazil alone so far this year. They target people who haven't changed the default login for the router's control system.
According to Avast, there have been more than 4.6 million attempts to modify router settings remotely. Although the attacks were targeted at people using particular Internet service providers in Brazil, there's no reason the same tactics couldn't work elsewhere.
The goal of the attacks is to change the DNS settings on a router. In simple terms, that's like the address book that a router uses to turn a website address (such as google.com) into an IP address (such as 172.217.11.14) that identifies the specific server that physically houses a website.
Real Sites Redirected to Malicious Sites
Once a router has been switched to a bogus DNS server, the attackers can reroute attempts to visit popular websites (such as Netflix) into a fake copy of the same website. This can then be used to trick the victim into typing in their user name and password for the real site, or use the fake site to deliver malware or hijack the computer's resources.
The address shown in the browser will look normal. However, if the website uses the HTTPS security, the fake version won't show the usual padlock symbol. (Source: arstechnica.com)
The attack itself starts with a compromised website that opens up another page in the background. This page is designed to remotely hunt around the user's local network looking for a router. It then tries logging in using common default logins for the router, such as "admin" for user name and "admin" for password, for example. Note that these are user names and passwords for the router itself, not for a WiFi network.
Default Passwords A Risk
Others passwords were also targeted. For example, the password "gvt12345" was aimed at routers issued to customers by a specific Brazilian Internet service provider which used this password as a default.
According to Avast, some of the key ways to protect against such attack include:
- Ensuring that router firmware is up to date. This will make it harder for attackers to scan a local network.
- Changing the default router admin username and password. Most routers will
have details of how to access these settings printed on the bottom of the router
itself.
- Double-checking for the padlock logo when using a sensitive website such as online banking or email. (Source: avast.io)
What's Your Opinion?
Have you ever used your router's admin settings? Have you changed the login details? Do ISPs and router manufacturer give clear enough information on this topic?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
at&t routers
The AT&T router that came with the internet setup I got has no login admin or password. I recently noticed the firewall was turned off and complained of other problems with my internet and got AT&T to send me a router with admin and password settings. I wonder how many of these defective routers are sitting out there ready for such attacks as in the article? The model number of the router is NVG510.