More than 100k devices were compromised in South America following a hijacking campaign. The attack targeted home routers and directly redirected Brazilian e-banking users to phishing web pages. The GhostDNS malware used in this attack has been named as GhostDNS that comes with limited history. The major targets were financial institutions like Banco do Brazil and Citibank along with Netflix and Avira antivirus software.
According to the research team of security firm Netlab, activities of GhostDNS malware was first seen on September 20th of this year, when a group of fresh scanners hijacked routers with vulnerable password or whose authentication process could be easily dodged. The malicious code took customers to fake simulated landing pages of major banks of South America, media outlets, telcos and ISPs.
An Insight into GhostDNS Malware
The malware is an amalgamation of complicated attack scripts, capable of hijacking router settings and swapping them with a substitute DNS service. From here, the codes take traffic to cloned yet malicious landing pages having all major online services and collects login details along with some vital credentials of users.
The GhostDNS system is made up of four components: DNSChanger module, Phishing Web module, Web Admin module and Rogue DNS module. Among them, the DNSChanger module is accountable for data collection and manipulation. The redirection service of DNS is called Rouge and is currently running on various renowned cloud hosting services like Google, Amazon, OVH, Telefonica and Oracle.
Among three languages, the most common is PyPhp (Python/PHP) version that has been installed on more than 100 servers, including to Google Cloud. It consists of Web API that regulates program, along with a scanner and an attack module that encompasses 69 attack scripts for 47 firmware and devices.
How Does It Work?
Now, coming to GhostDNS attack procedure, which is launched on four levels. First, the Web Admin System of this malware glance over the internet for vulnerable accounts and devices. Next, this step is followed by creation of fake landing page via DNSChanger and meanwhile, RougeDNS redirects users to phishing websites.
According to the experts of Netlab, hackers use remote access exploits to deliver the payload and it has the ability to launch more than 100 attack scripts to at least 80 routers at the same time. The intensity of GhostDNS attack depends on the number of vulnerable routers that can be fetched. Here, vulnerable routers are referred to DNS of routers that can be easily hacked.
Once the hacker has all credentials about your router, it creates a trap for users. Next time, when the user visits the bank online, it lands to a fake yet copied page of the bank and they end up losing all information and cash. But how can we avoid this situation?
Prevention Is Better Than Cure
This malware has the ability to completely disable online system, thanks to its various attack vectors and automatic adoption of the attack process. Therefore, it is recommended to upgrade your broadband connectivity and secure your router system by setting complicated passwords. Do not save your password online and do not set similar passwords for every account.
For now, Netlab has taken the case in their hands and are continuously providing inputs about this malware. The research firm is analyzing the progress along with its internal procedures and is in contact with various service providers for complete network shut down. Till then, it is advisable to continuously change your password, check whether your router’s default DNS server is changed and update your system’s security mechanism.
From banking details to personalized information, now everything is stored online. Losing data can definitely cost you for a lifetime and unfortunately, no one can stop hackers from exploiting your data. In such a scenario, all you must do is to adopt some precautionary steps in your lifestyle to avoid frauds and hacks. Do let us know about your thoughts on this GhostDNS malware in the comment section below.