Simple iframe attack compromises SOHO routers

— 5:22 PM on February 27, 2015

The number of computing devices around us keeps growing as technology marches forward. Where once a household had a sole PC, today we find ourselves with multiple laptops, desktops, smartphones, and tablets. There is one other computing device in our home that is easy to forget about: the small office/home office (SOHO) router.

These devices have been growing more capable over time. Enthusiasts tend to buy their own routers, but most end users simply lease a unit from their ISP. A successful ISP can have thousands or more of identical routers distributed across a region or even a nation. Uniformity and mass market penetration are the hallmarks an attacker looks for to increase their chances of success.

Our story takes us to Brazil, where routers from UTStarcom and TP-Link were attacked as part of a pharming campaign. The attackers began e-mailing their victims using an e-mail format and name similar to Oi, the largest telecommunications company in Brazil. Oi distributes the aforementioned UTStarcom and TP-Link routers to their customers.

The end users who clicked the link in the phishing e-mail were sent to a website with malicious code contained within a hidden iframe. The malicious code uses nothing more than HTML to attempt to log into the router and change the DNS settings. Tools like NoScript can't protect you here, nor can your browser's same-origin policy, since those tools protect against JavaScript attacks, not HTML.

The malicious HTML used these routers' default usernames and passwords to access the router config and change the primary DNS entry to the address of a server the attackers controlled. The secondary DNS server was set to, Google's open DNS. Pointing the secondary DNS at Google ensured that, when the the attackers pulled down their own malicious DNS server, the end users would still be able to resolve addresses. The users would have no red flag to signal any problem.

The malicious DNS server had false records for major banking sites, and those records pointed the victims to web servers controlled by the attackers. The victims arrived at banking websites that looked much like their own, and the attackers then pharmed their personal information via a series of questions on the malicious sites.

Attacks on SOHO routers are becoming more common. You had the Misfortune Cookie exploit that is believed to have impacted as many as 12 million devices. The DDoS that hit PSN and Xbox Live during Christmas last year was carried out by an army of compromised routers. How about 250,000 routers in Spain with SSH enabled and identical public keys? All these Internet connected devices are readily discoverable via the search engine SHODAN. So what can you do? 1. Make sure you change your default password. 2. Ideally, your password should come from a tool like Keepass, Dashlane, or others. 3. Make sure you stay on top of your firmware updates. 4. Consider an open source routing firmware as those projects tend to receive better support.

Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.