On Friday (5 April), it emerged that home routers such as those manufactured by D-Link were being targeted by DNS hijacking. Security researchers at Bad Packets identified three waves which took place between December last year and the end of March this year, detailed in a blog. But also on 5 April, researchers at Ixia identified a new wave of DNS hijacking and detected two additional rogue DNS servers: 126.96.36.199 and 188.8.131.52.
What is happening?
Hackers are orchestrating these attacks in the hope that users will be fooled by an unauthorized version of a well-known website. Once a person enters their details, they can subsequently be stolen by attackers. “The purpose of these attacks is to modify DNS settings in the routers to point to unauthorized webpages that skim user input data,” says Mihai Vasilescu senior security research engineer in a blog. “When end users try to access a targeted website, they will land on a webpage designed to look like the original but is controlled by the attacker.”
As Vasilescu points out, a malicious adversary able to intercept your requests could send faked DNS responses pointing you to a malicious server hosting a fake bank login page. “That server would then grab your credentials, giving the attacker access to your bank accounts.”
Which sites are being targeted?
According to Ixia researchers, the attackers seem to have three types of targets. Global internet-based enterprises, local hosting providers and financial intuitions based in Brazil.