New Router Exploit Auto-redirects to Rogue Sites

John Lister's picture

A security firm says hackers have hijacked 180,000 routers in Brazil alone so far this year. They target people who haven't changed the default login for the router's control system.

According to Avast, there have been more than 4.6 million attempts to modify router settings remotely. Although the attacks were targeted at people using particular Internet service providers in Brazil, there's no reason the same tactics couldn't work elsewhere.

The goal of the attacks is to change the DNS settings on a router. In simple terms, that's like the address book that a router uses to turn a website address (such as google.com) into an IP address (such as 172.217.11.14) that identifies the specific server that physically houses a website.

Real Sites Redirected to Malicious Sites

Once a router has been switched to a bogus DNS server, the attackers can reroute attempts to visit popular websites (such as Netflix) into a fake copy of the same website. This can then be used to trick the victim into typing in their user name and password for the real site, or use the fake site to deliver malware or hijack the computer's resources.

The address shown in the browser will look normal. However, if the website uses the HTTPS security, the fake version won't show the usual padlock symbol. (Source: arstechnica.com)

The attack itself starts with a compromised website that opens up another page in the background. This page is designed to remotely hunt around the user's local network looking for a router. It then tries logging in using common default logins for the router, such as "admin" for user name and "admin" for password, for example. Note that these are user names and passwords for the router itself, not for a WiFi network.

Default Passwords A Risk

Others passwords were also targeted. For example, the password "gvt12345" was aimed at routers issued to customers by a specific Brazilian Internet service provider which used this password as a default.

According to Avast, some of the key ways to protect against such attack include:

  • Ensuring that router firmware is up to date. This will make it harder for attackers to scan a local network.
     
  • Changing the default router admin username and password. Most routers will have details of how to access these settings printed on the bottom of the router itself.
     
  • Double-checking for the padlock logo when using a sensitive website such as online banking or email. (Source: avast.io)

What's Your Opinion?

Have you ever used your router's admin settings? Have you changed the login details? Do ISPs and router manufacturer give clear enough information on this topic?

Rate this article: 
Average: 5 (7 votes)

Comments

bruceevans6056_12521's picture

The AT&T router that came with the internet setup I got has no login admin or password. I recently noticed the firewall was turned off and complained of other problems with my internet and got AT&T to send me a router with admin and password settings. I wonder how many of these defective routers are sitting out there ready for such attacks as in the article? The model number of the router is NVG510.