New DNS Hijacking Attack Exploiting DLink Routers to Target Netflix, PayPal, Uber, Gmail Users

Cybercriminals continuously perform DNS hijacking attack to the consumer’s routers over the past 3 months, and the sites targeted for phishing includes Netflix, PayPal, Uber, Gmail.

DNS hijacking is a type of malicious attack that used to redirect the users to the malicious website when they visit the website via compromised routers or attackers modifying a server’s settings.

Attackers abusing the hosts on the network of Google Cloud Platform to conduct this exploit attempts against consumers routers.

In this case, Researchers identified the rogue DNS servers being used to redirect web traffic for malicious purposes such as phishing attacks.

This ongoing campaign identified as 3 waves, In the First wave of an attempt on December 29, 2018, Attackers mainly targeting to exploit the multiple models of D-Link DSL modems, including:

https://twitter.com/bad_packets/status/1079251375987425280

In this case, “The IP address of rogue DNS server used in this attack was 66.70.173.48 and hosted by OVH Canada.”

In the second wave that attempted on February 6, 2019, attackers using new hosts from AS15169 that was assigned to Google Cloud customers.

According to Bad Packets, “As Twitter user “parseword” noted, the majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082).”

The third wave of attempt comes from three distinct Google Cloud Platform hosts, in this time, attackers targeting some of the models of the additional routers including ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

In This case, there are more than 10,000 consumers routers are vulnerable from different models including,

D-Link DSL-2640B – 14,327
D-Link DSL-2740R – 379
D-Link DSL-2780B – 0
D-Link DSL-526B – 7
ARG-W4 ADSL routers – 0
DSLink 260E routers – 7
Secutech routers – 17
TOTOLINK routers – 2,265

Attackers also performed a recon scan was done using Masscan to check for active hosts on port 81/tcp prior to attempting the DNS hijacking exploits.

Spoke person from Google said to “We have suspended the fraudulent accounts in question and are working through established protocols to identify any new ones that emerge. We have processes in place to detect and remove accounts that violate our terms of service and acceptable use policy, and we take action on accounts when we detect abuse, including suspending the accounts in question. These incidents highlight the importance of practicing good security hygiene, including patching router firmware once a fix becomes available.”

You can Also Download Free E-book about complete Enterprise Security Mitigation & Implementation Steps – .

Follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

New “Roaming Mantis” Malware uses DNS Hijacking Attack to Hack Android Smartphones

DNS Hijacking Campaign Targeting Various Organizations Around the Globe

DNS Hijacking Method Used by Powerful Malware to Hack Android, Desktop & iOS Devices

DHS Issued Emergency Directive Ordering Federal Agencies To Audit DNS Activity for their Domains

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

6 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

6 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

6 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

6 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago