Phishing without borders, or why you need to update your router

April 29, 2019

What is the most common threat across cyberspace these days? It’s still phishing — there’s nothing new under the sun. But today’s router-based phishing doesn’t require you to fall for a hoax e-mail message. In fact, you can follow a whole bunch of standard rules — avoid using public Wi-Fi, hover over links before clicking, and so forth — but in the situation we discuss here, those rules won’t help. Let’s take a closer look at phishing schemes that involve hijacked routers.

How routers end up being hijacked

In general, there are two basic ways to hijack a router. The first approach is to take advantage of default credentials. You see, every router has an administrator password — not the one you use to connect to your Wi-Fi, the one you use to log in to the router’s administrator panel and to change its settings.

Although users can change the password, most leave it unchanged. And when we keep the default password set by a router’s manufacturer, outsiders can guess — or sometimes even Google — it.

The second approach is to exploit a vulnerability in a router’s firmware (of which there is no shortage) that allows a hacker to take control of the router without any password at all.

Either way, criminals can do their thing remotely, automatically, and on a massive scale. Hijacked routers can provide diverse benefits, but the one we’re going to focus on here is phishing that is extremely hard to spot.

How hijacked routers can be exploited for phishing

After taking over your router, attackers modify its settings. It’s a tiny, unnoticeable change: They change the addresses of the DNS servers the router uses to resolve domain names. What does that mean, and why is it so dangerous?

Thing is, the DNS (Domain Name System) is the pillar of the Internet. When you enter a website address in your browser’s address bar, your browser doesn’t actually know how to find it, because browsers and Web servers use numerical IP addresses, not the domain names that humans are used to. So, the act of getting to a website looks like this:

  1. The browser sends a request to a DNS server.
  2. The DNS server translates the website’s address from human-readable form into its numerical IP address and tells it to the browser.
  3. The browser now knows where to find the website and loads the page for you.

It all happens very quickly and behind the scenes. But when your router is hijacked and your DNS server addresses are changed, all of your requests go to a malicious DNS server that is controlled by attackers. Instead of returning the IP address of the site you want to visit, the malicious server returns a forged IP address. In other words, malefactors trick your browser — not you — into loading a phishing webpage instead of the site you were looking for. The scariest part is both you and your browser think the page is legit!

The Brazilian job: A phishing campaign with hijacked routers

In the most recent wave of this type of attack, hackers were taking advantage of security flaws in D-Link DSL, DSLink 260E, ARG-W4 ADSL, Secutech and TOTOLINK routers. The attackers compromised the devices and modified their DNS settings. Whenever the owners of the hijacked routers tried to access their online banking accounts or service providers’ websites, the malicious DNS server under hijackers’ control silently redirected them to phishing pages designed to steal their credentials.

During this campaign malefactors were going primarily after Brazilian users. They created fake sites mimicking the real ones of Brazilian financial institutions, banks, web hosting, and cloud computing providers based in Brazil.

The hijackers also targeted users of some of the largest Internet services, including PayPal, Netflix, Uber, and Gmail.

How to protect yourself from router-based phishing

As we mentioned above, this kind of phishing is extremely hard to spot. However, the situation is not completely hopeless. We have a few tips:

  1. Log in to the router’s Web interface, change the default passwords, and disable remote administration and other dangerous settings.
  2. Keep your router firmware up to date: updates usually fix vulnerabilities. For some models, the updates are delivered automatically, but for others they must be installed manually. Check your router manufacturer’s model info online to see how your router is updated.
  3. Even when you’re accessing a familiar website, keep an eye out for unusual details and unexpected pop-ups. Try to click around several sections of the site; even when the design of a phishing page is highly professional, it’s almost impossible for malefactors to recreate an entire site with perfect fidelity.
  4. Before typing in your credentials (or any sensitive data), make sure that the connections are secure (check the beginning of the URL for “https://” to verify) and always check whether the name in the certificate matches the name of the entity. To do so, click the lock sign in the browser’s address bar:
  • In Internet Explorer or Edge you will see the certificate details you need right away.
  • In Mozilla, you will then have to click Connection.
  • In Chrome, click the lock sign, then Certificate, then General, and check the Issued to line.