Cybercriminals Redirect D-Link Router Traffic to Malicious Websites
Over the past three months, a cybercriminal group has been hacking home routers—primarily D-Link models—by exploiting known firmware vulnerabilities. Once compromised, the attackers change the DNS server settings and redirect user traffic to malicious websites.
Targeted Router Models
According to experts at Bad Packets, who are monitoring the campaign, the affected router models include:
- D-Link DSL-2640B
- D-Link DSL-2740R
- D-Link DSL-2780B
- D-Link DSL-526B
- ARG-W4 ADSL
- DSLink 260E
- Secutech devices
- TOTOLINK devices
Researchers have observed three waves of attacks: at the end of December 2018, early February 2019, and late March. The campaign is still ongoing.
How the Attack Works
During these attacks, cybercriminals inject the IP addresses of malicious DNS servers, replacing the legitimate IP addresses of popular websites with those of harmful resources. So far, researchers have identified four malicious DNS server addresses:
- 66.70.173.48
- 144.217.191.145
- 195.128.126.165
- 195.128.124.131
While experts have not yet determined exactly which legitimate websites are being spoofed, they found that most DNS requests are redirected to two IP addresses. One belongs to a Bulgarian hosting provider previously linked to malicious campaigns, and the other is associated with a domain parking monetization service.
Recommendations for Router Owners
Experts recommend that router owners update their device firmware and check their DNS settings for any unauthorized changes.
What Is Domain Parking?
Domain parking is the registration of a domain name on a DNS server provided by a parking service, without using the domain for its intended purpose (such as creating a website). Domain parking allows the owner to reserve an unused domain name for future use.