Yes another slightly new style of attack:
There are a couple of slightly new twists in this hacker style attack.
Proofpoint found the attack (as a spam protection company they see all kinds of emails) https://www.proofpoint.com/us/threat-insight/post/Phish-Pharm
Here is definition of pharming: “Attackers use poisoned DNS servers to redirect address requests, usually for online banking sites, to a realistic but completely fraudulent site in order to harvest the online banking credentials of the unsuspecting end-user.”
The only way this works is to get the unsuspecting user to click on a fraudulent email which then infected their router, specifically 2 of them:
- UTStarcom (fortune1000 company out of China) http://www.utstar.com/products/broadband-access/wireless-access (their broadband products could be whitelabeled for many Cable or other ISP companies
- TP-Link (Also Chinese company) http://www.tp-link.us/ Looks like a DSL and Wifi, or 3G/4G router company. Also make powerbanks
The TP-Link AC1900.
more than likely the hackers found a way to hack the default admin password and then once in the router they change the DNS servers that the system sends to client systems.
So when your machine (mobile phone or computer) resets and wants a new DNS server address now it will go to the hacker’s DNS server
And now that the hacker has your mobile device on his DNS servers?
Well they will point you to his fake bank sites.
When you click on your “Commerce bank” link for example. you are not going to your bank, but the fake bank site to steal your credentials.
This is a sample email that starts it all:
Moral of story? change your default admin passwords. (also required for PCI compliance.
Contact US if you need help
Subscribe with us if you want to learn more of what all this means.
Learn Ethical Hacking to test your routers and more