A new attack on routers is stealing users' banking information. The threat was identified by the security intelligence firm TrendMicro and earned the name Novidade. Models from D-Link, Motorola and TP-Link are among those affected. The action of criminals, who target home or small office routers, involves changing the Domain Name System (DNS) settings through counterfeiting request between sites (CSRF). Thus, smartphones and computers can be invaded.
READ: New type of router takes Wi-Fi all over the house; see which to choose
The attack is carried out in several ways, including malicious advertising (malvertising), compromised injection of websites and instant messaging. The first sample of Novidade was discovered by the researchers in August 2017, but since then, two variants have been found in use in several countries. Brazil is one of the favorite targets, where users had bank details leaked from malvertising. The largest campaign has been applied 24 million times since March.
Want to buy cell phones, TV and other discounted products? Meet Compare TechTudo
Blocking people connected to your Wi-Fi network
When the victim clicks on the link, the page prepared by the hackers blindly attacks the detected IP address, for all possible loopholes. The attacker then attempts to log in to the router with default names and passwords, and then the CSRF technique is performed to change the original DNS server. With the device compromised, all devices connected to it are vulnerable. The crook can perform a pharming attack, which consists of redirecting access to a legitimate URL to a malicious website.
One of the campaigns used notifications of messages about the 2018 Brazilian presidential election as bait. The user opened a page and visualized a supposed survey about the candidates. While he was filling out the questionnaire, however, a malicious code attacked his router. Finally, the site still asked the victims to share the survey with 30 people to receive the results, helping to spread the scam.
Criminals exploited loopholes to steal user data Photo: Luciana Maline / TechTudo
A list of routers possibly affected was made based on comparisons of the malicious code, the network traffic and the published PoC code (proof of concept, in Portuguese). According to information gathered by TrendMicro, Netlab 360 and a post on GhostDNS, the following models were affected:
- A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)
- D-Link DSL-2740R
- D-Link DIR 905L
- Medialink MWN-WAPR300 (CVE-2015-5996)
- Motorola SBG6580
- GWR-120 Router
- Secutech RiS-11 / RiS-22 / RiS-33 (CVE-2018-10080)
- TP-Link TL-WR340G / TL-WR340GD
- TP-Link WR1043ND V1 (CVE-2013-2645)
To stay protected from threats like this, users should always update the router's firmware to the latest version. Another essential measure is to personalize the username and put a strong password on the account, avoiding default names and passwords, which are a loophole that is exploited by attackers.
It is also worth changing the router's IP address and disabling remote access features. Also, always try to use secure web connections, guaranteed by HTTPS in your browser's address bar, when accessing confidential websites.
On January 3, 2019, TP-Link sent a note to TechTudo claiming to be aware of the vulnerability. The company recommends that users change the default password and keep the firmware updated. Another suggestion is to check the DNS address through the router's settings page.