D-Link router users should in the near future pay special attention to the issue of security when navigating the Internet. According to specialists from Bitdefender, unpatched devices are the goal of one of the latest DNS takeover campaigns. Criminals attack routers to manipulate their settings and, as a consequence, direct unconscious users to fake versions of websites.
The attack involves the modification of DNS settings, ie the system of “translations” of user-friendly Internet addresses (such as, for example, google.com) into the corresponding IP addresses. The introduction of false references results in displaying a different than expected page, despite entering the correct address in text form. This is a slightly more advanced version of phishing which, depending on the method of implementation, is often called “pharming”.
In practice, if the router’s settings are modified by the attackers, when using the Internet, the user may unknowingly visit the fake versions of the pages (despite correctly displaying the address on the browser bar).
This can lead to further scams, for example when the attackers decide to redirect the victim to a crafted bank login page. There have been many such cases.
According to Bitdefender, the first evidence of attacks on D-Link routers appeared in late December last year. DSL devices turned out to be problematic, including D-Link DSL-2640B, D-Link DSL-2740R, D-Link DSL-2780B and D-Link DSL-526B, as the security researcher Troy Mursch pointed out.
The next wave of attacks was registered in February 2019, and the next in the second half of March. Then the list of exposed routers was extended to ARG-W4, SSLink 260E, Secutech and TOTOLINK models. Depending on the case, the affected devices directed DNS queries to servers served by attackers in Canada or Russia.