Exploit Home Routers Then Pharm DNS servers

Yes another slightly new style of attack:

http://www.networkworld.com/article/2889933/hackers-exploit-router-flaws-in-unusual-pharming-attack.html

There are a couple of slightly new twists in this hacker style attack.

Proofpoint found the attack (as a spam protection company they see all kinds of emails)  https://www.proofpoint.com/us/threat-insight/post/Phish-Pharm

Here is definition of pharming: “Attackers use poisoned DNS servers to redirect address requests, usually for online banking sites, to a realistic but completely fraudulent site in order to harvest the online banking credentials of the unsuspecting end-user.

The only way this works is to get the unsuspecting user to click on a fraudulent email which then infected their router,  specifically 2 of them:

450x270 The TP-Link AC1900.

more than likely the hackers found a way to hack the default admin password and then once in the router they change the DNS servers that the system sends to client systems.

 

So when your machine (mobile phone or computer) resets and wants a new DNS server address now it will go to the hacker’s DNS server

And now that the hacker has your mobile device on his DNS servers?

Well they will point you to his fake bank sites.

 

When you click on your “Commerce bank” link for example. you are not going to your bank, but the fake bank site to steal your credentials.

 

This is a sample email that starts it all:

 

phish-pharm-1

Moral of story? change your default admin passwords.  (also required for PCI compliance.

 

Contact US if you need help

 

Subscribe with us if you want to learn more of what all this means.

 

Learn Ethical Hacking to test your routers and more

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.