Submitted via IRC for SoyCow1984
DLink vulnerability lets attackers remotely change DNS server settings.
Hackers have been exploiting a vulnerability in DLink modem routers to send people to a fake banking website that attempts to steal their login credentials, a security researcher said Friday.
The vulnerability works against DLink DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B, and DSL-526B models that haven’t been patched in the past two years. As described in disclosures here, here, here, here, and here, the flaw allows attackers to remotely change the DNS server that connected computers use to translate domain names into IP addresses.
According to an advisory published Friday morning by security firm Radware, hackers have been exploiting the vulnerability to send people trying to visit two Brazilian bank sites—Banco de Brasil’s www.bb.com.br and Unibanco’s www.itau.com.br—to malicious servers rather than the ones operated by the financial institutions. In the advisory, Radware researcher Pascal Geenens wrote:
The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, he or she can type in the URL manually or even use it from mobile devices such as iPhone, iPad, Android phones or tablets. He or she will still be sent to the malicious website instead of to their requested website, so the hijacking effectively works at the gateway level.
(Score: 0) by Anonymous Coward on Monday August 13 2018, @05:04AM (1 child)
I am in the habbit of setting DNS manually for each device. Most devices use AdGuard DNS, which allows adblocking on otherwise locked down systems such as gaming consolesa, while for Android devices I use the VPN redirectors like Blokada, DNS66 or netguard. On devices that I mostly control and in daily use (GNU/Linux PCs, occasional Windows Boxes) I use one of the anti-censorship DNS providers that claim to keep no logs.
(Score: 2) by Mykl on Monday August 13 2018, @06:10AM
That makes you one of the lucky 0.1% (0.01%)? of users who would not be affected by this exploit. It seems from the article that this was a genuine exploit too, and not just password-guessing.
Excuse me while I manually set my DNS...
(Score: 2) by MichaelDavidCrawford on Monday August 13 2018, @07:01AM (1 child)
You say that like it's a bad thing.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by Freeman on Monday August 13 2018, @03:14PM
So it has come to this.
https://www.xkcd.com/1022/ [xkcd.com]
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Monday August 13 2018, @07:41AM (5 children)
and DNSSEC is not deployed by these banking sites why? And DNSSEC is not used by clients, why?
All these things are only possible because of lazy admins not deploying DNSSEC. True, it still a little difficult to get official certificate for a bank from a CA, but without DNSSEC, you can redirect HTTP traffic at least and then you can use international character sets to make similar looking domain name that will get authenticated and get a CA. So again, why is DNSSEC not deployed by banks??
(Score: 3, Funny) by FatPhil on Monday August 13 2018, @11:02AM (3 children)
Having said that I can imagine a phishing page being sneaky and saying something like "please log in to enter our secure site" to fool people into accepting being on an insecure page.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Informative) by Pino P on Monday August 13 2018, @12:44PM (2 children)
The featured article states that the spoofed site uses a certificate from an unknown issuer, yet users just clicked past it.
(Score: 2) by FatPhil on Monday August 13 2018, @02:06PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by FatPhil on Monday August 13 2018, @02:09PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Pino P on Monday August 13 2018, @12:41PM
DNSSEC got off to a bad start when browsers didn't want to rely on a root key that was only 1024 bits. Even nowadays, some major registrars such as GoDaddy consider DNSSEC a premium feature and charge extra for adding DNSSEC to the zone hosting bundled with a domain. Between these, we ended up with Let's Encrypt instead of DANE TLSA.