Researchers at cybersecurity vendor Radware Ltd. discovered hackers using a D-Link router vulnerability to send users to a fake banking site in order to steal their credentials. What is this vulnerability and how did it enable attackers to direct victims to malicious sites?
Researchers at the Radware Threat Research Center recently found a D-Link router vulnerability that sends users to a fake banking site in order to steal their credentials.
This vulnerability is caused by a lack of authentication that enables an attacker to change the domain name system (DNS) server configuration settings in the victim's router. This allows the attacker to exploit vulnerabilities that are two years old in order to execute remote changes without alerting the victim.
During this attack, the victim manually types a URL into any browser on a phone or tablet and is redirected to the fake bank site without the attacker changing the URL in the browser address. The D-Link router vulnerability enables the attacker to exploit those routers that have not been updated in the two years since the issue was originally found. Vulnerable routers that allow unauthenticated remote DNS changes include:
- Shuttle Tech ADSL Modem-Router 915 WM;
- D-Link DSL-2740R;
- D-Link DSL-2640B;
- D-Link DSL-2780B Dlink_1.01.14; and
- D-Link DSL-526B ADSL2+ AU_2.01.
Another D-Link router vulnerability enables an attacker to bypass authentication, but only the D-Link DSL-2730B AU_2.01 router model is vulnerable to this attack.
This past summer, the attackers changed a malicious DNS server IP to 220.127.116.11 to use the hostname for Banco de Brazil on a fake website. This created a self-signed certificate with a starting date of Aug. 1, 2018, which the Radware researchers demonstrated in their report:
$ curl -vk https://18.104.22.168/pbb/web/
* Server certificate:
* subject: CN=WIN-EKNRP3TTHAF
* start date: Aug 1 19:36:40 2018 GMT
Last-Modified: Fri, 04 May 2018 00:36:26 GMT
After trying to access accounts through the fake website, victims are prompted to provide the bank agency number, their account number and an eight digit pin. The fake website then asks victims to provide a mobile phone number, a card pin and a CABB number.
With this vulnerability, If the victim enters an unsecured URL -- specifically, any URL starting with HTTP instead of HTTPS -- the browser will not warn users that the URL is not secure -- the fake website will accept unsecured connections. However, if the victim enters https://, indicating a URL using the secured HTTPS protocol, then the fake website overtakes or ignores the secured connections.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading