orange arrow

Hackers in Your Home - DNS Hijacking

Written by Zachary Blenden

Hackers can infiltrate people’s home networks through their routers using an attack called DNS Hijacking. This type of attack changes the router’s DNS settings to display malicious webpages chosen by the attacker. While this type of attack is not new, it has been more widely used over the past few months during the COVID-19 pandemic.

DNS Hijacking attacks are designed to trick the victim into thinking that he / she is receiving an emergency update or to display fake webpages similar to those frequently visited by the victim (e.g., online banking ). Once the user is directed to these mock pages, he / she is instructed to enter login information or personally identifiable information (PII) which is then sent back to the attacker, or to download a malicious payload.

With many more millions of people currently working from home on their own network hardware, DNS Hijacking poses an immediate threat both to individuals and their employers. In a typical corporate setting, an attacker must bypass various safeguards in order to penetrate the network. Home routers, on the other hand, are typically set up right out of the box with default settings and not properly configured or updated over time.

W.H.O. Themed Attacks

In recent DNS Hijacking attacks, attackers have been targeting Linksys and D-Link routers to serve a mock World Health Organization webpage that hosts Oski infostealer designed to extract browser credentials and other victim data. In some cases, the attackers simply scan the internet for vulnerable routers and attempt to brute-force weak administrative passwords.

Once the router is compromised and the DNS setting has been changed, a malicious page is displayed instructing the victim to download an application from the W.H.O. to receive important information related to the COVID-19 pandemic. Once the user clicks on the link, he / she is redirected to a Bitbucket page to install the malicious application.

Since the router itself is compromised, the user may never see any form of antivirus notification. The attack targets the router directly by compromising it, changing its default DNS settings to display webpages of the attacker’s choosing, and hosting the malware outside of the network on cloud-based infrastructure. This makes these types of attacks much more difficult to detect.

These attacks targeting consumer routers are often abusing vulnerabilities in outdated firmware or in default settings on the router. With more people teleworking than ever before, this has become greater for corporations and organizations that cannot monitor or control their employees’ home networks and router configurations. They can, however, take steps to ensure that employee devices are properly secured and connections to corporate networks are secured and monitored.

Example of a malicious page directing users to install the malware
Example of a malicious page directing users to install the malware

Recommendations

Individuals can take steps to prevent DNS hijacking attacks. Here are some recommendations geared towards both employers and home users below:

For employers:

  • Educate employees about the risk of DNS hijacking attacks and communicate best practices that include the recommendations below.

For home users / small businesses:

  • Apply router firmware updates.
  • Change router’s control panel access credentials.
  • Changing any default administrative credentials to complex passwords.
  • Periodically check what server is making your DNS requests by visiting whoismydns.com. If the company does not look familiar (typically your ISP) and the DNS server was not configured manually, this may indicate a DNS hijack on your home router.

About the Author

Zac Blenden is a Threat Intelligence Analyst at Q6 Cyber with a focus on cybercriminal communities and activity. Prior to Q6, Zac was a Penetration Tester and Threat Intelligence Analyst.