The login page of course works, in the sense that the victim can login to their account by filling in their credentials at the top of the page. Most of the links on the site don’t work, they just redirect to non-existing web-pages.
If you look closely at the address bar, the site is shown as not being secure, something not all users might recognize. We visited the phishing version of the Banco Bradesco site, the site affected users were redirected to when trying to visit the bank’s website. On December 3, 2019, all the domains still resolved to this IP address when using the malicious DNS servers.
The diagram below describes the attack vector: DNS hijackingĪs in the past, the domains affected by the DNS hijack are mainly the banks in Brazil, as well as e-commerce site PagSeguro, national news sites Terra and UOL, and famous streaming site Netflix:Īll the affected domains resolve to the IP address 138197.149162 which are hosted by DigitalOcean, LLC. The GhostDNS exploit kit automatically finds the router IP, then executes an attack with a parameter including the router’s IP via PHP script (for example “ /inc.php?d=192.168.1.1”) and finally, a CSRF attack is carried out on the user’s router. When users visited the http//br domain, they were automatically redirected to a router exploit kit landing page. The campaign focused on hijacking DNS requests using the following two servers (both servers hosted on ColoCrossing servers): In total, Avast Web Shield blocked the two malicious URLs 7,500 times.īased on the website fingerprint of the landing page, the exploit kit is the GhostDNS variant, Novidade, which means “news” in Portuguese. As can be seen on the graph below, the campaign was first active on November 19, 2019, when the number of blocked URLs reached more than 1,000. The number of blocked URLs on this day hit nearly 5,500, followed by more than 1,000 blocked URLs on the following day. On November 25, 2019, Avast’s Web Shield blocked a significant number of URLs in Brazil.
Online banking sites and sites like Netflix are often targeted by cybercriminals in DNS hijack attacks, as it allows them to easily steal valuable login credentials. In this case, the following Brazilian banking, and news sites were targeted, as well as Netflix: Once the hacker successfully logs into the router, the exploit kit attempts to alter the router’s DNS settings using various CSRF requests, sending the victim to phishing pages designed to look like the actual website the victim wants to visit.
Then the exploit kit attempts to find the router IP on the network, and brute force its way into the router. When visiting a compromised site, the victim is unknowingly redirected to a router exploit kit landing page, which is usually opened in a new window or tab, initiating the attack on the router automatically, without user interaction. Taking a closer look, two landing pages, targeting Brazilians, hosting the GhostDNS router exploit kit used to carry out cross-site request forgery (CSRF) attacks, caught our attention.Īs we described in a past blog post, RouterCSRF campaigns are often distributed via malvertising campaigns through ad rotators, and appear in waves. Router exploit kits are very popular in Brazil, and late November we noticed a spike in the number of URLs blocked by Avast’s Web Shield.
0 kommentar(er)
