Ongoing DNS Hacks Still Targeting Gmail, PayPal and Netflix Users

Ongoing DNS Hacks Still Targeting Gmail, PayPal and Netflix Users

A DNS hijacking campaign that has been ongoing for the past three months is targeting the users of popular online services, including Gmail, PayPal, and Netflix.

As part of the campaign, the attackers compromised consumer routers to modify their DNS settings and redirect users to rogue websites to steal their login credentials.

Advertisement

Bad Packets security researchers, who have been following the attacks since December, have identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.

“All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169),” the researchers reveal.

The first DNS hijacking exploit targeted D-Link DSL modems such as D-Link DSL-2640B, DSL-2740R, DSL-2780B, and DSL-526B. The rogue DNS server used in this attack was hosted by OVH Canada (IP address 66.70.173.48).

A second wave targeted the same types of D-Link modems, but the rogue DNS server had a different IP address, 144.217.191.145 (also hosted by OVH Canada).

Most of the “DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082),” the security researchers say.

A third wave of attacks targeted a larger number of consumer router models, including ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

The attacks came from three distinct Google Cloud Platform hosts and two rogue DNS servers were used, both hosted in Russia by Inoventica Services (195.128.126.165 and 195.128.124.131).

In all attacks, the operators performed an initial recon scan using Masscan to check for active hosts on port 81/TCP, and only then launched the DNS hijacking exploits.

Advertisement

The campaign was meant to take the users of Gmail, PayPal, Netflix, Uber, and several Brazilian banks to rogue domains and trick them into revealing their usernames and passwords, Stefan Tanase, Principal Security Researcher at Ixia, says.

The security researchers found over 16,500 vulnerable routers potentially exposed to this DNS hijacking campaign.

“Establishing a definitive total of vulnerable devices would require us to employ the same tactics used by the threat actors in this campaign,” Bad Packets says.

The attackers abused Google’s Cloud platform for these attacks mainly because it is easy for everyone with a Google account to access a “Google Cloud Shell,” a service that provides users “with the equivalent of a Linux VPS with root privileges directly in a web browser,” the researchers explain.

cybercrime2Also see: AI Cyber Attacks: How to fight back

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Popular Cyber News

Top Tips to Protect Your Business Against Social Media Mistakes

Top Tips to Protect Your Business Against Social Media Mistakes

11 May, 2019

Don't let social media become the go-to platform for cybercriminals looking to steal sensitive corporate information or ...

Study Shows Extent of Cyber Risk

Study Shows Extent of Cyber Risk

10 May, 2019

A new study shows SMBs face greater security exposure, but large companies still support vulnerable systems as well. ...

How to Secure your Azure Storage accounts

How to Secure your Azure Storage accounts

14 May, 2019

Enterprise data is growing exponentially and becoming more complicated, making it harder to manage, and an even bigger c...

Vodafone is Challenging Huawei Report of Telnet 'Backdoor'

Vodafone is Challenging Huawei Report of Telnet 'Backdoor'

01 May, 2019

Vodafone is challenging a Bloomberg report that security vulnerabilities and backdoors within Huawei networking equipmen...

Malware: Doesn't need to be new to cause serious damage

Malware: Doesn't need to be new to cause serious damage

05 May, 2019

The good news is: The development of new malware exploits has slowed significantly.

Microsoft adds Plug and Play to IoT

Microsoft adds Plug and Play to IoT

03 May, 2019

Microsoft just announced that it wants to add the advantages of Plug and Play, which allows you to plug virtually any pe...

Twitch streamers take action to secure their accounts against hacks

Twitch streamers take action to secure their accounts against hacks

30 April, 2019

Twitch has an account hacking problem.

Over 22 billion IoT devices are out there

Over 22 billion IoT devices are out there

20 May, 2019

Enterprise Internet of Things (IoT) remains the leading segment, accounting for more than half of the market, with mobil...

Todays Cloud Security

Todays Cloud Security

06 May, 2019

Enterprise cloud security is making real progress, however emerging technologies call for security teams to keep up with...

Categories

Home Tech Reviews UK

Mobile Tech Reviews UK

×

Sign up to keep in touch!

Be the first to hear th latest Cyber and Tech News straight to your mailbox.

Check out our Privacy Policy & Terms of use
You can unsubscribe from email list at any time