26th February 2015
According to Proofpoint, the link in the spam campaign led to a page that mimicked the telecom provider. The landing page included code that silently attempted to execute what’s known as a cross-site request forgery attack on known vulnerabilities in two types of routers, UT Starcom and TP-Link. The malicious page would then invoke hidden inline frames (also known as “iframes”) that try to log in to the administration page of the victim’s router using a list of known default credentials built into these devices.
If successful, the attacker’s script would modify the domain name system (DNS) settings on the victim’s router, adding the attacker’s own DNS server as the primary server while assigning the secondary DNS server to Google’s public DNS (8.8.8.8). Such a change would allow the attackers to hijack the victim’s traffic to any Web site, redirecting them away from the legitimate site to a look-alike page designed to siphon the victim’s credentials. In the event that the attacker’s DNS server was unresponsive for any reason, the victim’s router would still function normally.
http://krebsonsecurity.com/wp-content/uploads/2015/02/dnshijack-600x162.pngThe malicious script used by the spammers in this campaign tries multiple default multiple default credentials in a bid to hijack routers with factory-default settings. Image: Proofpoint.
Full Article
Spam Uses Default Passwords to Hack Routers
Userlevel 7
+54
Be the first to reply!
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.