A Brazilian cyber-criminal group has attempted to hijack consumers’ traffic and redirect victims to fake banking sites by changing their router settings, according to an analysis by security firm Kaspersky Lab.
The attack, which appears to have affected 3,300 victims in three days, uses an email to lure potential victims to an attacker-controlled Website. When the victim goes to the site, the attackers use Javascript to mount a dictionary attack against the victim’s home router.
The attack is not exploiting a particular vulnerability, but using the capabilities built into most browsers by default, Dmitry Bestuzhev, head of global research and analysis for Kaspersky’s Latin America team, said in an email interview.
“There is no vulnerability exploitation in this particular attack, (just the) ‘normal’ behavior that allows, via JavaScript, certain commands to execute in the browser which result in actions,” he said. “If JavaScript is not allowed in the browser, (even though) the victim clicks on the malicious URLs … the attack won’t be successful.”
While 60 percent of the victims are in Brazil, 22 percent are in the United States with smaller numbers spread throughout the world, according to the Kaspersky analysis.
Cyber-criminals do not often focus on compromising routers, but recent research has shown home routers are often vulnerable. Outdated system software and the relative difficulty of updating the software as well as the use of weak passwords undermine the security of the devices.
In 2008, two researchers showed that Flash content embedded in a Web page could be used to mount an attack on a victim’s router. In 2013, researchers at security firm Rapid7 found that an estimated 50 million devices, including many in Brazil, were vulnerable to a flaw in the Plug-and-Play (PnP) protocol.
In the latest attack, the cyber-criminal group uses a script running on a compromised or malicious Website to guess default and popular user name-password combinations. If the victim has not changed their default password, then the attacker compromises the router. The victim does not need to have their router’s Web page open in the browser for the attack to succeed. The guessing attempts will just happen in the background, invisible to the user.
Only if the attack is unsuccessful will the malicious Web server use the script to outright ask for credentials, the analysis stated.
“If you’re using default credentials in your home router, there won’t be an interaction and you’ll never realize that the attack has occurred,” the Kaspersky analysis stated. “If you’re not using default credentials, then the Website will pop up a prompt asking you to enter it manually.”
Users should change the passwords on their routers and never give their user name and password to an untrusted Website, Kaspersky advises.