New DNS Hijacking Attack Exploiting DLink Routers to Target Netflix, PayPal, Uber, Gmail Users

Cybercriminals continuously perform DNS hijacking attack to the consumer’s routers over the past 3 months, and the sites targeted for phishing includes Netflix, PayPal, Uber, Gmail.

DNS hijacking is a type of malicious attack that used to redirect the users to the malicious website when they visit the website via compromised routers or attackers modifying a server’s settings.

Attackers abusing the hosts on the network of Google Cloud Platform to conduct this exploit attempts against consumers routers.

In this case, Researchers identified the rogue DNS servers being used to redirect web traffic for malicious purposes such as phishing attacks.

This ongoing campaign identified as 3 waves, In the First wave of an attempt on December 29, 2018, Attackers mainly targeting to exploit the multiple models of D-Link DSL modems, including:

https://twitter.com/bad_packets/status/1079251375987425280

In this case, “The IP address of rogue DNS server used in this attack was 66.70.173.48 and hosted by OVH Canada.”

In the second wave that attempted on February 6, 2019, attackers using new hosts from AS15169 that was assigned to Google Cloud customers.

According to Bad Packets, “As Twitter user “parseword” noted, the majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082).”

The third wave of attempt comes from three distinct Google Cloud Platform hosts, in this time, attackers targeting some of the models of the additional routers including ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

In This case, there are more than 10,000 consumers routers are vulnerable from different models including,

D-Link DSL-2640B – 14,327
D-Link DSL-2740R – 379
D-Link DSL-2780B – 0
D-Link DSL-526B – 7
ARG-W4 ADSL routers – 0
DSLink 260E routers – 7
Secutech routers – 17
TOTOLINK routers – 2,265

Attackers also performed a recon scan was done using Masscan to check for active hosts on port 81/tcp prior to attempting the DNS hijacking exploits.

Spoke person from Google said to “We have suspended the fraudulent accounts in question and are working through established protocols to identify any new ones that emerge. We have processes in place to detect and remove accounts that violate our terms of service and acceptable use policy, and we take action on accounts when we detect abuse, including suspending the accounts in question. These incidents highlight the importance of practicing good security hygiene, including patching router firmware once a fix becomes available.”

You can Also Download Free E-book about complete Enterprise Security Mitigation & Implementation Steps – .

Follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

New “Roaming Mantis” Malware uses DNS Hijacking Attack to Hack Android Smartphones

DNS Hijacking Campaign Targeting Various Organizations Around the Globe

DNS Hijacking Method Used by Powerful Malware to Hack Android, Desktop & iOS Devices

DHS Issued Emergency Directive Ordering Federal Agencies To Audit DNS Activity for their Domains

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

6 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

6 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

9 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

12 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

13 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

13 hours ago