Researchers at cybersecurity vendor Radware Ltd. discovered hackers using a D-Link router vulnerability to send users to a fake banking site in order to steal their credentials. What is this vulnerability and how did it enable attackers to direct victims to malicious sites?
Researchers at the Radware Threat Research Center recently found a D-Link router vulnerability that sends users to a fake banking site in order to steal their credentials.
This vulnerability is caused by a lack of authentication that enables an attacker to change the domain name system (DNS) server configuration settings in the victim's router. This allows the attacker to exploit vulnerabilities that are two years old in order to execute remote changes without alerting the victim.
During this attack, the victim manually types a URL into any browser on a phone or tablet and is redirected to the fake bank site without the attacker changing the URL in the browser address. The D-Link router vulnerability enables the attacker to exploit those routers that have not been updated in the two years since the issue was originally found. Vulnerable routers that allow unauthenticated remote DNS changes include:
- Shuttle Tech ADSL Modem-Router 915 WM;
- D-Link DSL-2740R;
- D-Link DSL-2640B;
- D-Link DSL-2780B Dlink_1.01.14; and
- D-Link DSL-526B ADSL2+ AU_2.01.
Another D-Link router vulnerability enables an attacker to bypass authentication, but only the D-Link DSL-2730B AU_2.01 router model is vulnerable to this attack.
This past summer, the attackers changed a malicious DNS server IP to 126.96.36.199 to use the hostname for Banco de Brazil on a fake website. This created a self-signed certificate with a starting date of Aug. 1, 2018, which the Radware researchers demonstrated in their report:
$ curl -vk https://188.8.131.52/pbb/web/
* Server certificate:
* subject: CN=WIN-EKNRP3TTHAF
* start date: Aug 1 19:36:40 2018 GMT
Last-Modified: Fri, 04 May 2018 00:36:26 GMT
After trying to access accounts through the fake website, victims are prompted to provide the bank agency number, their account number and an eight digit pin. The fake website then asks victims to provide a mobile phone number, a card pin and a CABB number.
With this vulnerability, If the victim enters an unsecured URL -- specifically, any URL starting with HTTP instead of HTTPS -- the browser will not warn users that the URL is not secure -- the fake website will accept unsecured connections. However, if the victim enters https://, indicating a URL using the secured HTTPS protocol, then the fake website overtakes or ignores the secured connections.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Related Q&A from Judith Myerson
An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what ... Continue Reading
Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch... Continue Reading
The TP-Link EAP Controller for Linux was recently found to be vulnerable to attacks. Learn from Judith Myerson what this means for users and how it ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.