Vulnerable routers abused to reroute users’ web traffic to phishing websites, install cryptomining scripts, or serve malicious advertising

Prague, Czech Republic / Sydney, Australia, September 4th, 2019 – Earlier in the year, the Federal government agency Australian Cyber Security Centre (ACSC) made an announcement that it is aware of a global Domain Name System (DNS) infrastructure hijacking campaign and released a statement outlining best practices for how organisations can protect their systems.

Cybercriminals use cross-site request forgery (CSRF) attacks to carry out commands without the users’ knowledge, in this case to silently modify the users’ DNS settings to perform phishing and crypto-mining attacks, or attacks via malicious ads. Known router exploit kits used to attack routers include GhostDNS, Novidade, and in April 2019, Avast discovered SonarDNS.

So far in 2019, Avast has stopped more than 70,000 GhostDNS attacks.

The GhostDNS exploit kit is very popular in many parts of the global underground hacking scene and some of its variants belong to the most active exploit kits targeting routers in 2019. The GhostDNS variant Novidade attempted to infect Avast users’ routers over 2.6 million times in February alone and was spread via three campaigns. According to Netlab360, GhostDNS consists of a complex system with a phishing web system, web admin system, and rogue DNS system.

The threat actors behind GhostDNS are trying to increase their attack success rate by scanning routers’ IP addresses via public mass scans. The same rouge DNS servers 195[.]128.124[.]131 and 195.128.126[.]165 detected by @bad_packets’ honeypots were also spotted in other GhostDNS campaigns this year.

DNS hijacking leading to phishing attacks
A router CSRF attack is typically initiated when the user visits a compromised website with malicious advertising (malvertising), which is served using third party ad networks to the site. Avast frequently observes malvertising infections on local websites that host adult content, illegal movies and sports. Just by visiting a compromised site, the victim is redirected to a router exploit kit landing page, initiating the attack on their router automatically, without user interaction, in the background.

In many cases the exploit kits can successfully attack a router due to weak passwords. It first tries to find the router IP on the network, and then attempts to guess the password using various login credentials. Here is the list of top used credentials that common exploit kits try to use:

As one of the consequences, the router is reconfigured to use rogue DNS servers, which redirect victims to phishing pages that closely look like real online banking sites. Most recently, Netflix became a popular domain for DNS hijackers.

“The affected institutions are generally targeted due to their popularity, and the problem is that there is little that a company can do to avoid falling victim, apart from alerting their customers, as the phishing sites are located outside of the company’s domains,” said David Jursa, Threat Intelligence Analyst at Avast.

Malicious ads and cryptomining attacks
Aside from phishing, cybercriminals use DNS hijacking to replace legitimate ads with malicious ads. For example, cybercriminals can hijack ad platforms, such as Outbrain, which can be integrated into websites to serve ads to website visitors. If the ad platform’s server address is hijacked on the users’ router, the user will see malicious ads. These may, for example, try to trick users into downloading more malware, or to direct them to unsolicited websites with shady or illegal content.
Moreover, Avast threat researchers have also seen cybercriminals use DNS hijacking to push malicious cryptomining scripts to a users’ browser, so that the users’ machines can be abused in order to mine crypto coins. This activity can also lead to high energy bills, and a shortened life cycle for affected devices.

Staying protected
David Jursa continues: “Users should be careful when visiting their bank’s website or Netflix, and make sure the page has a valid certificate. They can do this by checking for the padlock in the browser URL bar. Additionally, users should frequently update their router’s firmware to the latest version, and set up their router’s login credentials with a strong password.”

People can find out whether their router is infected by using the Avast Wi-Fi Inspector feature, which is part of Avast Free Antivirus and all of Avast’s paid antivirus versions, which also includes Avast Web Shield, a core shield that protects users from CSRF attacks.

About Avast
Avast (LSE:AVST) is the global leader in digital security products. With over 400 million users online, Avast offers products under the Avast and AVG brands that protect people from threats on the internet and the evolving IoT threat landscape. The company’s threat detection network is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, OPSWAT, West Coast Labs and others. Visit: