IoT Hijackers Lead Victims to Bogus Banco de Brasil Website

Update as of October 3, 2018:

The IoT hijacking aimed at Brazilian banks continues. Security researchers report that the attack on DLink DSL modem routers – which intended to steal bank users’ financial information – has amplified its campaign. It now affects 100,000 router IP addresses and 70 different types of IoT devices.

The campaign, which Quihoo's Netlab 360 researchers have dubbed “GhostDNS,” boasts of a four-part system: Phishing Web module, Web Admin module, Rogue DNSmodule, and DNSChanger module. The DNSChanger module, being the malware campaign’s main module, is composed of three sub-modules which correspond to JavaScript, Python, and shell programs.

The scheme began as an attack directed towards Banco de Brasil customers. Recent developments in the intensified IoT campaign shows that most attacks are still Brazil-directed: majority of the malware-infected IoT devices and websites are located in the South American country.

Security researchers have been trailing the activity of cybercriminals who have waged a hijacking campaign on IoT devices, specifically, DLink DSL modem routers. This IoT threat aimed to steal the sensitive banking information of a Brazilian financial institution’s customers.

The IoT scheme started with an attempted change in the domain name system or DNS server settings of routers located in Brazil. The scammers rerouted all the requests that go through the DNS server to a malicious server. The malicious server then hijacked all DNS requests for the Banco de Brasil to a bogus clone of the bank’s website where threat actors are able to steal the bank clients’ information.

[READ: Security 101: Protecting Wi-Fi Networks Against Hacking and Eavesdropping]

The fake website, which is not associated with Banco de Brasil, asked for the following personal information: a user’s bank agency number, account and pin numbers, mobile number, bank card pin and an associated CABB number.

While the bank’s legitimate website was not hacked, it's an effective deception as bank users were not able to tell right away that they’ve been redirected to a malicious website, aside from an invalid certificate notification.  Regardless of the browser or device used, a DNS request for the Banco de Brasil website led them to the fake website due to their infected IoT devices.

[READ: Over 200,000 MikroTik Routers Compromised in Cryptojacking Campaign]

The security researchers discovered that the exploit attempts were done from servers in the US and Brazil and targeted victims located solely in Brazil. 

Another bank based in Brazil, Itau Unibanco, was also a victim of the IoT hijacking, but users were not redirected to a fake website. The banks have been alerted and that the DNS and phony website associated with the scam have been taken down.

[READ: A Look Into the Most Noteworthy Home Network Security Threats of 2017]

The researchers recommend the following to check whether users have been compromised IoT devices, and what steps to take:

  • Check all your devices’ DNS server settings in the IP configuration or through http://www.whatsmydnsserver.com/.
  • Update your modem's firmware.
  • Do not disregard invalid security certificate notifications on your browser.


Trend Micro Solutions

The  Trend Micro™ Smart Home Network, which has web protection and deep packet inspection capabilities, is a solution that secures devices against IoT-related threats.

Users of the Smart Home Network solution are protected from this threat via this rule:

1130410 WEB Multiple Devices Unauthenticated Remote DNS Change Vulnerability -18

1131093 WEB Multiple Devices Unauthenticated Remote DNS Change Vulnerability -9

A comprehensive guide on how homes and businesses can better defend themselves against attacks on routers can be found via Securing Your Home Routers: Understanding Attacks and Defense Strategies.

Indicators of Compromise

DNSChanger Module (SHA256)

8fb69b8d2404c5bec57ef1cc9abcd24f5a43d0b9770705899b73169b31c1ceb1 (HTML_DNSCHA.YJV)

The following are detected as HTML_DNSCHA.SM:

  • 1bebb76bb750e35b1f317c7a1e8c88aba91bd7b1ebee3671294ce6897f49b031      
  • 1cef323bca7171311d8955ccd59fd9867401bf8ec7c859508e41f8295d979c56            
  • 6a1ce608a0d16f8ac3ebb8b9ab17bbf0166bab6d444e33a3794675d8648e15ca       
  • 0fad6dfd52d573ba9873fac3450735dcf5cf3446a195f66ed23a3b9c5d2b11bc           
  • 4c0cf65854f702a186ca993c62f795633f09d57d13a77471320a0ccc0ef6f748               
  • 2786cc3e2fb8d140f6d24a7f9b6eb8df642804498402a306b67fdc495e0c0f26
  • bec910f0d6354661404f7d4a116cf4de01e5f1da6579f647315f5ebe95371b0d
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.