Hackers exploiting Router vulnerabilities to hack Bank accounts through DNS Hijacking

In past months, we have reported about critical vulnerabilities in many wireless Routers including Netgear, Linksys, TP-LINK, Cisco, ASUS, TENDA and more vendors, installed by millions of home users worldwide.

Polish Computer Emergency Response Team (CERT Polska) recently noticed a large scale cyber attack ongoing campaign aimed at Polish e-banking users.

Cyber criminals are using known router vulnerability which allow attackers to change the router's DNS configuration remotely so they can lure users to fake bank websites or can perform Man-in-the-Middle attack.

'After DNS servers settings are changed on a router, all queries from inside the network are forwarded to rogue servers. Obviously the platform of a client device is not an issue, as there is no need for the attackers to install any malicious software at all.' CERT Polska researchers said.

That DNS Hijacking trick is not new, neither most of the router vulnerabilities are, but still millions of routers are not patched or upgraded to the latest firmware version.

The Domain Name System, or DNS, the Internet's method of converting Web page names into IP address numbers can be hijacked just by changing the server address to a malicious DNS server from router's settings; and that which malicious DNS server should be in control of the hacker to facilitate interception, inspection and modification of the traffic between users and the online banking websites they wanted to target.

"It looks like criminals are primarily targeting e-banking users as they modify DNS responses for several banking domains, while resolving other domain names normally." they said.

Most of the Banking and E-commerce sites are using HTTPS with SSL encryption, making it impossible to impersonate them without a valid digital certificate issued by a Certificate Authority (CA), but to bypass such limitation cyber criminals are also using the SSL strip technique to spoof digital certificates.

"While criminals intercept the unencrypted request, they simply modify links to clear HTTP, adding "ssl-" String to a hostname, apparently in an attempt to fool casual users (Note that the nonexistent ssl-. hostnames would only be resolved by malicious DNS servers) While the connection is proxied through malicious servers, SSL is terminated before it reaches the user. Decrypted content is then modified and sent unencrypted to the customer."

"In cases we have seen, they produced a self-signed certificate for thawte.com domain, which causes a browser to complain about both domain name mismatch and lack of a trusted CA in the certificate chain. This should be a clear indicator of the fraud for most users."

Demonstration of Exploitation:
Penetration tester and Computer Science Student, ABDELLI Nassereddine from Algerian, who reported previously about critical unauthorized access and password disclosure vulnerability in the TP-LINK Routers provided by Algerie Telecom, has also published the practical demonstration on 'How to Hack Victim's computer and accounts by hijacking Router's DNS server'.

To perform this, he used DNS Proxy tool 'Dnschef' and exploitation tools including Metasploit, webmitm and Burp Suite. Steps to follow:

Our readers can get detailed explanations of exploitation technique on the Nassereddine's blog.

How to Protect?
Now that you know how hackers can target routers to mess up the internet connection or even steal banking, Facebook, Google passwords, the next best thing to do is to secure your own routers:

• Change the default username and password.
• Update the Router's firmware to latest patched version.
• Users can spot fake sites by pay attention to the browser's address bar and HTTPS indicators.
• Disable Remote Administration feature, especially from WAN. The router should be configurable only from the local network or LAN.