A DNS hijacking campaign, active for at least three months, has been attacking users of the most popular online services, such as Gmail, Netflix, PayPal, among others, reported specialists from the International Institute of Cyber Security (IICS), the best ethical hacking institute.
As part of the attack campaign, threat actors
have compromised the clients’ routers from Internet service provider companies,
modifying the DNS configuration and redirecting victims to malicious websites
to extract their login credentials.
Specialists from the best ethical hacking
institute identified four malicious DNS servers that attackers have been using
to redirect victims’ traffic, highlighting that all exploitation attempts have
originated from hosts in the Google Cloud platform.
The first DNS hijacking exploits specific
D-Link DSL modems, such as D-Link DSL-2640B, DSL-2740R, DSL-2780B and DSL-526B.
The fake DNS server used for this attack was hosted by OVH Canada (linked to
the 66.70.173.48 IP address).
A second wave of attacks pointed to the same
type of D-Link modems, although the address associated with this malicious
server was different from the previous one (144,217,191,145).
According to the best ethical hacking institute,
most DNS requests were being redirected to two IP addresses assigned to a
hosting provider with flexible policies regarding dishonest practices.
A third wave of attacks addressed a large
number of domestic router models, including ARG-W4 ADSL routers, DSLink 260E
routers, Secutech routers, and TOTOLINK routers.
The origin of the attacks is linked to three different
hosts of Google Cloud using two malicious servers hosted in Russian territory.
The main goal of the campaign was to redirect
unsuspecting users of online services such as Netflix,
Uber, PayPal or Gmail to fraudulent sites and trick them into delivering their
login credentials reported the best ethical hacking institute. Specialists
estimate that about 17000 routers may be exposed to this DNS hijacking
campaign.
