Netlab security researchers have just exposed a piece of malware. It spreads through Internet routers and conducts large-scale phishing attacks on unsuspecting Internet users. At present, malicious code has infected up to 100,000 Internet routers in Brazil, which redirects traffic to major counterfeit banks, telecom companies, Internet service providers, and even Netflix video sites, and madly collects user login credentials related to financial institutions.
Netlab named the malware GhostDNS, which is a combination of sophisticated attack scripts. These scripts hijack the router settings, replace them with other DNS services, and then direct traffic to the landing page of a large online service provider after “cloning.”
The DNS redirection service in this example, called Rouge, runs even on many public clouds hosting providers like Amazon, OVH, Google, Telefónica, and Oracle. Since June this year, the network has been running a phishing program. Netlab is following up on the infection process, its internal operations, and actively contacting the service provider to close the network.
The chart drawn by Netlab shows that the attack is divided into four levels. The first is a web management system that scans vulnerable devices on the Internet. Then there is the DNS Changer server network supported by RougeDNS, which aims to redirect the URL to a server on a phishing website such as fake online banking.
Netlab pointed out that the vulnerability lies in the control of remote access. GhostDNS can run more than 100 attack scripts and affect more than 70 different types of routers, all of which are vulnerable to DNS hijacking. Once your router is hacked, the generally harmless online banking becomes a nightmare for phishing – maliciously redirecting HTTP requests to the cloned landing page to collect user data.
It should be noted that although most of the infected routers are located in Brazil (87.8%) and the phishing targeting of Brazilian companies, there is a large spread across South America (infecting more than 100,000 routers). Netlab is working with major service providers to strengthen vulnerability management and shut down malicious DNS servers that direct users to phishing sites.
Finally, Spamhaus.com ranked Brazil third in the global botnet infection rankings. It has a total of 756,420 infected devices, second only to India (1,483,5933) and China (1.66 million).