Website driveby attacks on routers are alive and well. Here’s what to do

D-Link's DI-514 802.11b router. It was a perfectly cromulent router for its time... but those were dark days, friend, dark days indeed.
D-Link’s DI-514 802.11b router. It was a perfectly cromulent router for its time… but those were dark days, friend, dark days indeed.

Website driveby attacks that try to boobytrap visitors’ routers are alive and well, according to antivirus provider Avast, which blocked more than 4.6 million of them in Brazil over a two-month span.

The attacks come from compromised websites or malicious ads that attempt to use cross-site request forgery attacks to change the domain name system settings of visitors’ routers. When successful, the malicious DNS settings redirect targets to websites that spoof Netflix and a host of banks. Over the first half of the year, Avast software detected more than 180,000 routers in Brazil that had hijacked DNS settings, the company reported.

The attacks work when routers use weak administrative passwords and are vulnerable to CSRF attacks. Attackers use the malicious DNS settings to phish passwords, display malicious ads inside legitimate webpages, or use a page visitor’s computer to mine cryptocurrencies.

Once infected, the spoofing may be hard for some people to spot. The spoofed site will have www.netflix.com or other legitimate URLs in the browser address bar. And logos on the page may appear identical. But thanks to the increased usage of transport layer security—the protocol that authenticates websites by putting HTTPS and a padlock in the URL—spoofing is usually easy for the trained eye to recognize. Impersonated HTTPS pages will not display the padlock. They sometimes will be accompanied by a request to accept a self-signed certificate that’s not automatically trusted by the browser.

Besides watching out for spoofed sites, people can protect themselves by keeping router firmware updated or, when updates are no longer available, replacing the router. Also key is ensuring that administrative passwords are strong. Periodically checking a router’s DNS settings is a good idea as well. It should either be blank or, better yet, use the freely available 1.1.1.1 server offered by content delivery network Cloudflare. Avast has more information on DNS hijacking here.

https://arstechnica.com/?p=1534969