Spam Uses Default Passwords to Hack Routers

[amazinghorse]

 

In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims.

 

Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam campaign sent to a small number of organizations and targeting primarily Brazilian Internet users. The emails were made to look like they were sent by Brazil’s largest Internet service provider, alerting recipients about an unpaid bill. In reality, the missives contained a link designed to hack that same ISP’s router equipment.

 

According to Proofpoint, the link in the spam campaign led to a page that mimicked the telecom provider. The landing page included code that silently attempted to execute what’s known as a cross-site request forgery attack on known vulnerabilities in two types of routers, UT Starcom and TP-Link. The malicious page would then invoke hidden inline frames (also known as “iframesâ€) that try to log in to the administration page of the victim’s router using a list of known default credentials built into these devices.

 

If successful, the attacker’s script would modify the domain name system (DNS) settings on the victim’s router, adding the attacker’s own DNS server as the primary server while assigning the secondary DNS server to Google’s public DNS (8.8.8.8). Such a change would allow the attackers to hijack the victim’s traffic to any Web site, redirecting it away from the legitimate site to a look-alike page designed to siphon the victim’s credentials. In the event that the attacker’s DNS server was unresponsive for any reason, the victim’s router would still function normally.

 

 

The malicious script used by the spammers in this campaign tries multiple default credentials in a bid to hijack routers with factory-default settings. Image: Proofpoint.

 

The real danger of attacks like these is that they bypass antivirus and other security tools, and they are likely to go undetected by the victim for long periods of time.

“There is virtually no trace of this thing except for an email,†said Kevin Epstein, vice president of advanced security and governance at Proofpoint. “And even if your average user knows to look at his router’s DNS settings, he’s unlikely to notice anything wrong or even know what his normal DNS settings should be.â€

Many modern routers have built-in defenses against such attacks (including countermeasures known as CSRF tokens), but new vulnerabilities in existing routers — even recent model routers — are constantly being uncovered. I asked Proofpoint whether such protections — or security improvements built into most modern browsers — would have stopped this attack. Their experts seemed to think not.

“The routers being attacked in our example were not so diligent and so were vulnerable to this attack,†Proofpoint’s lead analyst wrote in an email response to my question. “What you’re likely thinking of is the cross-origin policy, which is designed to prevent attacks similar (but not identical) to this one (it mostly focuses on javascript). In this case, iframes are permitted by default, so modern browsers (by design) will happily participate in the attack we documented.â€

 

In any case, I hope it’s clear by now that leaving the default credentials in place on your router is merely inviting trouble. Last month, I wrote about how the botnet used to take down Sony and Microsoft‘s online gaming networks was built on the backs of hacked home routers that were all running factory-default administrative credentials.

If you haven’t changed the default credentials on your router, it’s time to do that. If you don’t know whether you’ve changed the default administrative credentials for your wired or wireless router, you probably haven’t. Pop on over to routerpasswords.com and look up the make and model of your router.

To see whether your credentials are the default, you’ll need to open up a browser and enter the numeric address of your router’s administration page. For most routers, this will be 192.168.1.1 or 192.168.0.1. This page lists the default internal address for most routers. If you have no luck there, here’s a decent tutorial that should help most users find this address. And check out my Tools for a Safer PC primer for more tips on how to beef up the security of your router and your Web browser.

 

Read more about this attack at Proofpoint’s blog post.