Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

Hackers in Your Home – DNS Hijacking

Eli Dominitz
May 20, 2020
Read Time: 0 min

Hackers can infiltrate people’s home networks through their routers using an attack called DNS Hijacking. This type of attack changes the router’s DNS settings to display malicious webpages chosen by the attacker. While this type of attack is not new, it has been more widely used over the past few months during the COVID-19 pandemic.

DNS Hijacking attacks are designed to trick the victim into thinking that he/she is receiving an emergency update or to display fake webpages similar to those frequently visited by the victim (e.g., online banking). Once the user is directed to these mock pages, he/she is instructed to enter login information or personally identifiable information (PII) which is then sent back to the attacker or to download a malicious payload.

With many more millions of people currently working from home on their own network hardware, DNS Hijacking poses an immediate threat both to individuals and their employers. In a typical corporate setting, an attacker must bypass various safeguards in order to penetrate the network. Home routers, on the other hand, are typically set up right out of the box with default settings and not properly configured or updated over time.

W.H.O. Themed Attacks

In recent DNS Hijacking attacks, attackers have been targeting Linksys and D-Link routers to serve a mock World Health Organization webpage that hosts Oski infostealer designed to extract browser credentials and other victim data. In some cases, the attackers simply scan the internet for vulnerable routers and attempt to brute-force weak administrative passwords.

Once the router is compromised and the DNS setting has been changed, a malicious page is displayed instructing the victim to download an application from the W.H.O. to receive important information related to the COVID-19 pandemic. Once the user clicks on the link, he/she is redirected to a Bitbucket page to install the malicious application.

Since the router itself is compromised, the user may never see any form of antivirus notification. The attack targets the router directly by compromising it, changing its default DNS settings to display webpages of the attacker’s choosing, and hosting the malware outside of the network on cloud-based infrastructure. This makes these types of attacks much more difficult to detect.

These attacks targeting consumer routers are often abusing vulnerabilities in outdated firmware or in default settings on the router. With more people teleworking than ever before, this has become greater for corporations and organizations that cannot monitor or control their employees’ home networks and router configurations. They can, however, take steps to ensure that employee devices are properly secured and connections to corporate networks are secured and monitored.

Staying on top of suspicious activity is more than a full-time job. Our advisory services team can help.

Learn more

Recommendations

Individuals can take steps to prevent DNS hijacking attacks. Here are some recommendations geared towards both employers and home users below:

For employers:

  • Educate employees about the risk of DNS hijacking attacks and communicate best practices that include the recommendations below.

For home users / small businesses:

  • Apply router firmware updates.
  • Change router’s control panel access credentials.
  • Changing any default administrative credentials to complex passwords.
  • Periodically check what server is making your DNS requests by visiting whoismydns.com. If the company does not look familiar (typically your ISP) and the DNS server was not configured manually, this may indicate a DNS hijack on your home router.

 

About the Author

Eli Dominitz

Founder & CEO | Q6 Cyber
Eli Dominitz is the Founder & CEO of Q6 Cyber, an e-crime intelligence company based in the USA and Israel. Through a combination of proprietary technology and human analysts, Q6 monitors the “Digital Underground” (DarkWeb, DeepWeb, malware networks and infrastructure) to collect targeted and actionable e-crime intelligence used to proactively

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.