A cyberattack likened to a DNS-changer infiltration was first spotted in August on several D-Link routers in Brazil has expanded to affect more than 80 different network devices and more than 100,000 individual kits. Radware first identified the latest campaign, which started as an attack on Banco de Brasil customers via a DNS redirection that sent people to a duplicate site that stole their banking credentials.
Quihoo’s Netlab 360 folk have warned that the attack, which they’ve named – GhostDNS, is “starting to ramp up its effort significantly with a whole bunch of new scanners.” The attackers were trying to get control of the target machines either by guessing the web admin password, or through a vulnerable DNS configuration CGI script (dnscfg.cgi). If they get control of a device, they change the router’s default DNS server to their own “rogue” machine.
But wait, there’s more, the post said: “The GhostDNS system consists of four parts: DNS Changer module, Phishing Web module, Web Admin module, Rogue DNS module.”
Rogue DNS module –
The Rouge DNS server contains a number of hijacked domains, primarily banking domains, cloud hosting services, and domain belongs to security company Avira.
Phishing Web module –
The rogue DNS server hijacks targeted domain’s and resolves them to phishing server and the phishing server servers corresponding phishing site.
At this stage, the post said, the redirection campaign is heavily weighted towards Brazilian Websites, nearly 88 per cent of the compromised devices are also in Brazil, and the rogue DNS servers operated on Hostkey, Oracle, Multacom, Amazon, Google, Telefonica, Aruba, and OVH.
Compromised kit has also been spotted in Bolivia, Argentina, Saint Maarten, Mexico, Venezuela, the US, Russia and a few others.
OVH, Oracle and Google have kicked the attackers off their infrastructure, and the post said others are “working on it”.
Vendors the Netlab 360 researchers have also listed – 3Com, A-Link, Alcatel / Technicolor, Antena, C3-Tech, Cisco, D-Link, Elsys, Fiberhome, Fiberlink, Geneko, Greatek, Huawei, Intelbras, Kaiomy, LinkOne, MikroTik, MPI Networks, Multilaser, OIWTECH, Perfect, Qtech, Ralink, Roteador, Sapido, Secutech, Siemens, Technic, Tenda, Thomson, TP-Link, Ubiquiti, Viking, ZTE, and Zyxel as vulnerable.