Saturday, December 2, 2023

New DNS Hijacking Attack Exploiting DLink Routers to Target Netflix, PayPal, Uber, Gmail Users

Cybercriminals continuously perform DNS hijacking attack to the consumer’s routers over the past 3 months, and the sites targeted for phishing includes Netflix, PayPal, Uber, Gmail.

DNS hijacking is a type of malicious attack that used to redirect the users to the malicious website when they visit the website via compromised routers or attackers modifying a server’s settings.

Attackers abusing the hosts on the network of Google Cloud Platform to conduct this exploit attempts against consumers routers.

In this case, Researchers identified the rogue DNS servers being used to redirect web traffic for malicious purposes such as phishing attacks.

This ongoing campaign identified as 3 waves, In the First wave of an attempt on December 29, 2018, Attackers mainly targeting to exploit the multiple models of D-Link DSL modems, including:

In this case, “The IP address of rogue DNS server used in this attack was and hosted by OVH Canada.”

In the second wave that attempted on February 6, 2019, attackers using new hosts from AS15169 that was assigned to Google Cloud customers.

According to Bad Packets, “As Twitter user “parseword” noted, the majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082).”

The third wave of attempt comes from three distinct Google Cloud Platform hosts, in this time, attackers targeting some of the models of the additional routers including ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

 DNS Hijacking

In This case, there are more than 10,000 consumers routers are vulnerable from different models including,

D-Link DSL-2640B – 14,327
D-Link DSL-2740R – 379
D-Link DSL-2780B – 0
D-Link DSL-526B – 7
ARG-W4 ADSL routers – 0
DSLink 260E routers – 7
Secutech routers – 17
TOTOLINK routers – 2,265

Attackers also performed a recon scan was done using Masscan to check for active hosts on port 81/tcp prior to attempting the DNS hijacking exploits.

Spoke person from Google said to “We have suspended the fraudulent accounts in question and are working through established protocols to identify any new ones that emerge. We have processes in place to detect and remove accounts that violate our terms of service and acceptable use policy, and we take action on accounts when we detect abuse, including suspending the accounts in question. These incidents highlight the importance of practicing good security hygiene, including patching router firmware once a fix becomes available.”

You can Also Download Free E-book about complete Enterprise Security Mitigation & Implementation Steps – Download Free-Ebook Here.

Follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

New “Roaming Mantis” Malware uses DNS Hijacking Attack to Hack Android Smartphones

DNS Hijacking Campaign Targeting Various Organizations Around the Globe

DNS Hijacking Method Used by Powerful Malware to Hack Android, Desktop & iOS Devices

DHS Issued Emergency Directive Ordering Federal Agencies To Audit DNS Activity for their Domains


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles