2Wire Modem DNS Poisoning Attack Returns to Mexico
On January 13, 2008, I published an article warning owners of certain 2Wire branded DSL modems about a DNS poisoning attack that was ongoing against Mexican banking customers. That attack took advantage of the unfortunate fact that many DSL Internet customers receiving 2Wire modems have not created a unique administrator password to protect their modems from scripted attacks. In the January attacks, spam email messages were sent specifically to Mexican DSL customers, pretending to contain a link to a video that would be of interest to those recipients. Unbeknownst to the recipients, merely opening these messages triggered the running of a script that targeted 2Wire modems with codes that changed the destination URL of the Banamex online bank.
In my January article about this DNS poisoning attack I strongly recommended that all owners of these, and other broadband modems should immediately setup a unique password for the Administrator login to those modems. I also urged them to disable Remote Administration. I should add disabling UPnP to the list of options that will help secure these modems. Apparently, not enough users read and heeded my advice, because I have just learned that a second round of spam attacks has been launched against the very same people, using the same bank in Mexico!
The new round of attacks that is currently underway is again arriving via spammed email messages. This time, though, the email messages are disguised to trick users into thinking that they have received an e-card from Gusanito.com, a popular Mexican eCard Web site. Once a user clicks on the link where the supposed postcard can be viewed, he or she is then directed to a spoofed Gusanito page. That web page loads a couple of Flash controls, including a malicious one that modifies the 2wire modem localhost table. This routine effectively redirects users to a fraudulent site whenever they attempt to access pages related to Banamex.com. Because the spoofed pages so closely resemble the real bank's website, most users wouldn't realize that they were being scammed, until they tried to pay a bill with, or withdraw, money, which they no longer had in their bank accounts.
This DNS poisoning/Phishing technique has a name: "Drive-by Pharming." It is now proving to be a successful attack vector and will certainly be deployed against other 2Wire Modem users in other Countries. I again strongly urge broadband modem users to secure their modems by creating a good, personal Administrator password, plus disabling unnecessary, exploitable services, like remote administration and UPnP. Read my previous article about the exploiting of 2Wire modems and apply the pointers in it to reset and secure your modems.
This new threat was reported by Trend Micro, on their security alert blog. For its part, Trend Micro will detect the malicious .SWF file as SWF_ADHIJACK.D. All related malicious URLs have also been blocked by Trend Micro Web Threat Protection.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.