Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42866
  • Total Topics: 16075
  • Online Today: 1580
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Polish home routers under attack by Hackers  (Read 3236 times)

0 Members and 2 Guests are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Polish home routers under attack by Hackers
« on: 08. February 2014., 10:05:23 »


Attacks recently observed in Poland involved cybercriminals hacking into home routers and changing their DNS settings so they can intercept user connections to online banking sites.

Researchers from the Polish Computer Emergency Response Team (CERT Polska) believe attackers will likely target users from other countries as well in the future using similar techniques: http://scforum.info/index.php/topic,8620.0.html

"The attack is possible due to several vulnerabilities in home routers that make DNS configuration susceptible to unauthorized remote modifications,” the Polish CERT researchers said Thursday in a blog post. “In the resulting man-in-the-middle attack content of several e-banking websites was altered to include JavaScript injects that tricked users into giving up their usernames, passwords and TANs [transaction authentication numbers]. Effectively, money is stolen from users’ bank accounts”: https://www.cert.pl/news/8019/langswitch_lang/en

Unless intentionally configured otherwise, devices connected to a local network will typically use the DNS server provided by the network’s router to resolve domain names to IP (Internet Protocol) addresses. If attackers compromise the router and configure it to use a DNS server under their control, they can respond with rogue IP addresses to DNS queries for the domain names they wish to target.

In the recent attacks in Poland, the hackers used a DNS server that responded with rogue IP addresses for the domain names of five Polish banks. Those IP addresses corresponded to a server that acted as a proxy, providing attackers with a man-in-the-middle position to intercept, inspect and modify traffic between users and the online banking websites they wanted to target.

The problem for the hackers was that those sites used HTTPS—HTTP with SSL encryption—making it impossible to impersonate them without a valid digital certificate issued by a certificate authority. Because of this, they decided to use a less sophisticated technique known as SSL stripping.

Many banks use SSL encryption for their online banking systems, but not their entire websites. In most cases, users first connect to the bank’s main website over plain HTTP and then click on a button or link to access the log-in page for the secure part of the site where SSL is enabled.

It is at this point that attackers prevented the secure connection from being established. Their rogue proxy server established an encrypted connection with the online banking site, but kept the connection between the user and itself unencrypted.

When such an attack is in progress, the visual indicators for secure SSL connections are missing from the browser. However, it’s hard for the victims to notice since they clicked on a URL from the bank’s real website so they have no reason to suspect an attack, said Przemyslaw Jaroszewski, the head of incident response at CERT Polska.

The attackers went even further and rewrote the URLs seen by users in their browser’s address bar to have “ssl-.” in front of the domain name.

While none of the individual techniques used in the attacks were new, Jaroszewski said that as far as he knows this is the first time when attackers used them together in a mass attack targeting online banking users.

Polish IT security outfit Niebezpiecznik.pl linked the attacks to a vulnerability reported last month in ZyNOS, a router firmware created by ZyXEL Communications that’s apparently also used in some router models from other manufacturers including TP-Link, ZTE, D-Link and AirLive: http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/

The vulnerability allows attackers to download a file containing the router’s configuration without authentication. The file can then be unpacked and parsed to extract the password for the router’s administrative interface.

CERT Polska couldn’t definitively link a particular vulnerability to the DNS attacks, Jaroszewski said. While the ZyNOS vulnerability looks like a strong candidate, some of the attacks date back to late December, before the vulnerability was publicly disclosed, he said.

"There are many ways to modify DNS entries in home routers, some of them known for years,” Jaroszewski said. “It is actually surprising that it’s the first time we see it exploited for profit on a mass scale.”

Many vulnerabilities that allowed remote access to the administration interface of home routers were found over the years, including in models supplied by various ISPs to their customers.

Three vulnerabilities were found last month in a router called EE BrightBox that’s provided by British broadband provider EE to customers as standard equipment. One of those vulnerabilities could potentially allow attackers to change the router’s DNS configuration: https://scotthelme.co.uk/ee-brightbox-router-hacked/

Jaroszewski believes that it’s likely DNS attacks like those in Poland will be used against online banking users in other countries in the future. However, for now he wasn’t aware of any reports of similar attacks outside Poland.

While routers configured for remote administration over the Internet are obviously more likely to be targeted, Jaroszewski said that he knows of cases where malicious JavaScript code loaded from a website was used to instruct visitors’ browsers to send rogue commands to their home routers over the local networks using default credentials. This is known as a cross-site request forgery attack.

"In order to protect a home routers from the attack, any type of remote administration access from the Internet should be disabled,” the Polish CERT researchers said. “Default usernames and passwords should be changed to unique ones, not revealed publicly.”

(PCW)

Samker's Computer Forum - SCforum.info

Polish home routers under attack by Hackers
« on: 08. February 2014., 10:05:23 »

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
Re: Polish home routers under attack by Hackers
« Reply #1 on: 08. February 2014., 10:47:24 »
 :down: hacked hacked hacked


Is there nothing that works and is safe? :(

And people ask why I won't join them on IRC... With my full host name naked for all to see... Bah! I'd rather go to nudist camp!

Luckily, Anonymous offers anonymous irc chat just for this reason :)

Thanx for sharing!

Karma!


Devnullius





(TIP!!) EASY! NEW service! NO tasks, create account and RECEIVE FREE BTC LTC FTC TIPS WDC EAC EVERY DAY!!  CLICK THIS!!


Nederlandse Crypto Munt Discussiegroep
Bij ThisWeeksCoin.com/forum, open voor alles Bitcoin-gerelateerd!
Ga hier: http://thisweekscoin.com/forum/index.php?board=21.0 - alles lekker Nederlands!


GIVEAWAYS @ SCFORUM.INFO

---> SCForum's Software Grab 'n' Snatch!!!
http://scforum.info/index.php/topic,8638.0.html
---> SCForum Exclusive Giveaway for POT #POTCOIN - up to 32 POT for free!
http://scforum.info/index.php/topic,8723.0.html
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Fintech

  • SCF VIP Member
  • *****
  • Posts: 367
  • KARMA: 49
  • Gender: Male
Re: Polish home routers under attack by Hackers
« Reply #2 on: 10. February 2014., 18:53:22 »
  :down: hacked hacked hacked... :(

     Is there nothing that works and is safe? ??? Not so many, I think  :(
    @devvie don't bother about me! You will do fine work :bih:
   
   with you bitcoin work we've got many new members here!


Samker's Computer Forum - SCforum.info

Re: Polish home routers under attack by Hackers
« Reply #2 on: 10. February 2014., 18:53:22 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising