Phishing without borders, or why you need to update your router

[harlan4096]

What is the most common threat across cyberspace these days? It’s still phishing — there’s nothing new under the sun. But today’s router-based phishing doesn’t require you to fall for a hoax e-mail message. In fact, you can follow a whole bunch of standard rules — avoid using public Wi-Fi, hover over links before clicking, and so forth — but in the situation we discuss here, those rules won’t help. Let’s take a closer look at phishing schemes that involve hijacked routers.

How routers end up being hijacked

In general, there are two basic ways to hijack a router. The first approach is to take advantage of default credentials. You see, every router has an administrator password — not the one you use to connect to your Wi-Fi, the one you use to log in to the router’s administrator panel and to change its settings.

Although users can change the password, most leave it unchanged. And when we keep the default password set by a router’s manufacturer, outsiders can guess — or sometimes even Google — it.

The second approach is to exploit a vulnerability in a router’s firmware (of which there is no shortage) that allows a hacker to take control of the router without any password at all.

Either way, criminals can do their thing remotely, automatically, and on a massive scale. Hijacked routers can provide diverse benefits, but the one we’re going to focus on here is phishing that is extremely hard to spot.

How hijacked routers can be exploited for phishing

After taking over your router, attackers modify its settings. It’s a tiny, unnoticeable change: They change the addresses of the DNS servers the router uses to resolve domain names. What does that mean, and why is it so dangerous?

Thing is, the DNS (Domain Name System) is the pillar of the Internet. When you enter a website address in your browser’s address bar, your browser doesn’t actually know how to find it, because browsers and Web servers use numerical IP addresses, not the domain names that humans are used to. So, the act of getting to a website looks like this:

1.- The browser sends a request to a DNS server.
2.- The DNS server translates the website’s address from human-readable form into its numerical IP address and tells it to the browser.
3.- The browser now knows where to find the website and loads the page for you.

It all happens very quickly and behind the scenes. But when your router is hijacked and your DNS server addresses are changed, all of your requests go to a malicious DNS server that is controlled by attackers. Instead of returning the IP address of the site you want to visit, the malicious server returns a forged IP address. In other words, malefactors trick your browser — not you — into loading a phishing webpage instead of the site you were looking for. The scariest part is both you and your browser think the page is legit!

Continue Reading