10-13-2009, 01:17 PM
In a recent security alert, found on several high profile security websites, it has been revealed that hackers, in parts unknown, are exploiting vulnerabilities in certain models of the 2Wire brand of DSL modems, to steal bank accounts - in Mexico. These modems are also in use in the US, so don't get smug about this happening in Mexico only. That is probably a test run by the hackers, before hitting the US based modems.
The modus operandi of this attack begins with a spammed email that is rigged with hidden codes that are embedded in an image tag, plus a link to view a hostile video, where another piece of malware will try to install itself (TROJ_QHOST.FX). People who don't have the targeted modem won't be affected directly by these codes - this time. On the other hand, people who do have these modems and have not created a personal password for the modem's administrator login, will have these hidden codes passed directly to it. The codes will poison the DNS entry for banamex.com, which is the largest bank in Mexico. This DNS poisoning will automatically redirect all requests for banamex.com to a look-alike phishing website, where, when people login to their account, that login information will be added to the database owned by the criminals behind this exploit. These people will have their accounts emptied, unless they realize that they've been duped before the hackers get to their money (not likely).
Because this attack involves poisoning the DNS entries for the bank's website, in the modem itself, even typing banamex.com — which is the legitimate, fully-qualified domain name for this bank — leads to the fraudulent site instead. This is the same type of exploit that occurs when spyware poisons a computer's HOSTS file, to redirect specific requests to a hostile address. This exploit occurs invisibly for users of the affected modems who have not changed the default administrator password, which is null (none set). If they have created a personal password this exploit will fail. About 2 million of the affected modems have been shipped to customers in Mexico, all without an administrator password set. It is up to the recipients to create an administrator password.
That was posted on my site by one of my members and I'm not sure where exactly he got it from. But, thought I would share this with this community.
The modus operandi of this attack begins with a spammed email that is rigged with hidden codes that are embedded in an image tag, plus a link to view a hostile video, where another piece of malware will try to install itself (TROJ_QHOST.FX). People who don't have the targeted modem won't be affected directly by these codes - this time. On the other hand, people who do have these modems and have not created a personal password for the modem's administrator login, will have these hidden codes passed directly to it. The codes will poison the DNS entry for banamex.com, which is the largest bank in Mexico. This DNS poisoning will automatically redirect all requests for banamex.com to a look-alike phishing website, where, when people login to their account, that login information will be added to the database owned by the criminals behind this exploit. These people will have their accounts emptied, unless they realize that they've been duped before the hackers get to their money (not likely).
Because this attack involves poisoning the DNS entries for the bank's website, in the modem itself, even typing banamex.com — which is the legitimate, fully-qualified domain name for this bank — leads to the fraudulent site instead. This is the same type of exploit that occurs when spyware poisons a computer's HOSTS file, to redirect specific requests to a hostile address. This exploit occurs invisibly for users of the affected modems who have not changed the default administrator password, which is null (none set). If they have created a personal password this exploit will fail. About 2 million of the affected modems have been shipped to customers in Mexico, all without an administrator password set. It is up to the recipients to create an administrator password.
That was posted on my site by one of my members and I'm not sure where exactly he got it from. But, thought I would share this with this community.