A web based attack discovered in Brazil aims to change the DNS (Domain Name System) settings in home routers with malicious DNS servers that direct to phishing pages of financial institutions.
The modifications are made by steering the victim to malicious websites carrying adult content, which run scripts in the background. These contain links pointing to local IP addresses that are generally assigned to home routers and a specific DNS configuration.
Some users may be requested to log into the router configuration, this is a clear sign of that something is really odd and bad.
“This depends on the strength of the access password, because the scripts also have brute-forcing capability, and they first attempt to guess the credentials on their own.”
It appears that they run pretty basic combinations (admin:admin, root:root and admin:gvt12345), so a complex passcode should cause a login dialog to pop up.
Also present in the scripts are commands for changing the primary and secondary DNS servers.
Users are tricked into accessing the malicious links via an email claiming to provide photo evidence that the victim was cheated. Kaspersky systems recorded 3,300 clicks on the malicious links, most of them traced to Brazil, although the US, China, Canada and Mexico also appeared on the map.