What just happened? Security researchers at Netlab have outed a malware which has taken over a sizable number of internet routers in Brazil and is harvesting user login data to major financial institutions.
A widespread infection of internet routers has taken place in South America, and has carried out massive phishing attacks on unsuspecting internet users, reveals research by security firm Netlab. A staggering 100,000 routers have been hijacked by the malicious code and are currently redirecting traffic to phishing sites that mimic landing pages for major banks, telcos, ISPs, media outlets and even Netflix.
The malware (we're hesitant to call it a 'botnet',) has been named GhostDNS by the security firm, and consists of a combination of complex attack scripts which hijack router settings, replacing them with an alternative DNS service, which then proceed to direct traffic to 'cloned' login pages for major online services. The DNS redirection service is known as Rouge and is even running on a number of notable cloud hosting services like Amazon, OVH, Google, Telefonica and Oracle. Netlab is tracking the progress of the infection, and its inner workings, and has been in contact with service providers to shut down the network, which has been running the phishing scheme unopposed since mid-June this year.
The firm provided a detailed diagram of how the attack works.
The attack is carried out on four levels. A Web Admin System which scans the internet for vulnerable devices, followed by the DNSChanger which does as the name implies, backed up by RougeDNS, a network of DNS servers which then redirect to Phishing servers which host clones of well-known, secure, websites.
The firm states that the payload is delivered via remote access exploits, and is capable of running over 100 attack scripts affecting more than 70 different types of routers, whose DNS are subject to the hijacking. Once your router is hacked, a typically innocuous trip to your bank turns into a phishing nightmare which harvests your user data, as the HTTP requests are maliciously redirected to cloned login pages.
While the vast majority of infected routers are located in Brazil (numbering 87.8% of all infections), and the phishing clearly targets Brazilian companies, it is also present throughout South America, and tops over 100,000 infected routers. Netlab is working with major service providers in order to shore up their vulnerabilities and shut down the malicious DNS redirection servers which are driving users to phishing sites.
Spamhaus.com rates Brazil an unenviable third place in the worldwide ranking of botnet infections, with a total 756,420 infected devices, behind India (1,485,933 infections) and China (with 1,666,901 infections).