Criminals Clear Bank Account through DNS Redirections on Home Routers

Fraudsters redirect users` bank-related queries to phishing webpages and steal their banking login data by exploiting vulnerabilities in home routers, according to security researchers of Poland`s Computer Emergency Response Team (CERT Polska).

Hackers use the software bugs to remotely modify the router DNS setting. Every time users from inside the network attempt to connect to an online banking service, they land on a fake banking page.

Scammers steal users` log-in data the moment they type their username, passwords and TANs (transaction authentication numbers) into the counterfeited login forms, which then forward the data to the legitimate bank, but, most likely, modify the recipient`s account and amount of money. The transaction is then validated with the MTAN entered by the user. All this time, the entire transaction is forged. The result is unauthorized withdrawal from the victims` accounts.

Apparently, the attack only works with banking transactions originating from browsers, and not dedicated e-banking applications, because the latter would check the SSL certificate and fail.

This attack works no matter the device used to connect to the online banking accounts. The redirect is done at router level.

“The attack is possible due to several vulnerabilities in home routers that make DNS configuration susceptible to unauthorized remote modifications. The effects propagate to all users in local networks, regardless of hardware and system platform (provided they acquire DNS configuration from the router),” CERT Polska writes on its website.

How to prevent such attacks?

• Make sure your routers are not accessible via the Internet.
• When purchasing a home router, immediately change its default username and password to unique ones.
• Regularly check for firmware updates and make sure you are using the most recent software for your router. Routers do not get automatic updates like operating systems, so do that manually ” look for and install the updates on the vendor`s page.
• When you connect to a money-related webpage, manually type in the domain name and check for the signs of a secure connection ” a locked padlock and the presence of HTTPS.
• All Polish users suspecting foul play should contact immediately CERT POLSKA at the following link and let them know about your suspicions.