Advertisement

Ongoing DNS Hacks Still Targeting Gmail, PayPal and Netflix Users

Ongoing DNS Hacks Still Targeting Gmail, PayPal and Netflix Users

A DNS hijacking campaign that has been ongoing for the past three months is targeting the users of popular online services, including Gmail, PayPal, and Netflix.

As part of the campaign, the attackers compromised consumer routers to modify their DNS settings and redirect users to rogue websites to steal their login credentials.

Advertisement

Bad Packets security researchers, who have been following the attacks since December, have identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.

“All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169),” the researchers reveal.

The first DNS hijacking exploit targeted D-Link DSL modems such as D-Link DSL-2640B, DSL-2740R, DSL-2780B, and DSL-526B. The rogue DNS server used in this attack was hosted by OVH Canada (IP address 66.70.173.48).

A second wave targeted the same types of D-Link modems, but the rogue DNS server had a different IP address, 144.217.191.145 (also hosted by OVH Canada).

Most of the “DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082),” the security researchers say.

A third wave of attacks targeted a larger number of consumer router models, including ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

The attacks came from three distinct Google Cloud Platform hosts and two rogue DNS servers were used, both hosted in Russia by Inoventica Services (195.128.126.165 and 195.128.124.131).

In all attacks, the operators performed an initial recon scan using Masscan to check for active hosts on port 81/TCP, and only then launched the DNS hijacking exploits.

Advertisement

The campaign was meant to take the users of Gmail, PayPal, Netflix, Uber, and several Brazilian banks to rogue domains and trick them into revealing their usernames and passwords, Stefan Tanase, Principal Security Researcher at Ixia, says.

The security researchers found over 16,500 vulnerable routers potentially exposed to this DNS hijacking campaign.

“Establishing a definitive total of vulnerable devices would require us to employ the same tactics used by the threat actors in this campaign,” Bad Packets says.

The attackers abused Google’s Cloud platform for these attacks mainly because it is easy for everyone with a Google account to access a “Google Cloud Shell,” a service that provides users “with the equivalent of a Linux VPS with root privileges directly in a web browser,” the researchers explain.

cyber eye2
Also see: AI Cyber Attacks: How to fight back

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Top Cyber News

Apple Speaks About Recycling iPhones Via Robot

Apple Speaks About Recycling iPhones Via Robot

19 April, 2019

Apple has spoken about its effort to become even more environmentally friendly, by offering an insight into its normally...

Cyber Threats can target 20% of home PCs running worldwide: Says report

Cyber Threats can target 20% of home PCs running worldwide: Says report

12 March, 2019

According to the intelligence gathered from Avast Threat Detection Database, one in five home PCs running worldwide ar...

AI Startups on the rise in Europe

AI Startups on the rise in Europe

14 March, 2019

MMC Ventures a venture capital firm recently released a report, in association with Barclays, shows that one in 12 new s...

Telia tracks network data for smarter cities in northern Europe

Telia tracks network data for smarter cities in northern Europe

28 March, 2019

It uses aggregated, anonymised phone data to monitor crowd patterns.

Blockchain spending in Europe will be $800 million this year

Blockchain spending in Europe will be $800 million this year

01 April, 2019

The findings were published in IDC's latest Worldwide Semiannual Blockchain Spending Guide. ...

Fibre reacts autonomously for the first time to changing net conditions

Fibre reacts autonomously for the first time to changing net conditions

06 March, 2019

The live field trial showcased fibre optic transmission systems autonomously adapting to changing network conditions in ...

Categories

External Links

About Us

Follow Us