New Router Exploit Is Dangerous, but Easy to Fix

Much as you should never use "password" as your password for anything, you should also never install a networked device and keep its default login credentials. A new scam targeting routers given to customers by a Brazilian Internet service provider (ISP) strings together a number of known vulnerabilities into a surprisingly effective attack, but a simple security precaution can prevent the whole thing from occurring.

Proofpoint, a Sunnyvale, California-based security company, put up a blog post yesterday (Feb. 26) about the scam, which is not entirely new. The evil minds behind the router attack tried the same thing back in September, but used porn as a lure back then. This time around, the initial phishing email masquerades as a warning from the user's ISP. (This may mean Internet access is more important than sex.)

MORE: Your Router's Security Stinks: Here's How to Fix It

Here's how the exploit works: Users receive an e-mail that's supposedly from Oi, Brazil's largest ISP (the name means "Hi" in Portuguese). The message tells users that their subscriptions have expired, that they owe money to Oi and that clicking a link in the body of the message will ensure continued access.

A simple phishing scam would use this opportunity to grab a user's financial information, but this attack is considerably more sophisticated. When a user clicks the link, it takes him or her to a facsimile of an Oi webpage that opens up an invisible iframe — a link embedded in the page — and runs a malicious script.

The script targets routers made by UTStarcom and TP-Link, which have known flaws that allow a script to jump from one Web domain to another. The script navigates to the router's management pages — often found at the router's local IP address, such as 192.168.1.1/admin — then runs through a list of known default administrative usernames and passwords to log into the router's administrative dashboard.

If the targeted user has never changed his router's default administrative credentials — and if he's already clicked on a link in a phishing email, he's the type that probably hasn't — then the script takes over the router and changes its DNS (Domain Name System) settings from the ISP's DNS server to a DNS server controlled by criminals. 

DNS servers are the phone books of the Internet. They translate the URLs that humans read, such as "www.tomsguide.com", to the Internet Protocol (IP) addresses that computers read, such as "54.69.234.189". However, DNS servers have to be trustworthy, and most routers don't check for that.

A malicious DNS server could lie — it could take a browser request for "www.tomsguide.com" and sent it to a different IP address, such as "8.8.8.8", which could then in turn be a malicious website. One the attacker controls the DNS server, he can use it to get almost any kind of personal or financial information by sending the victim to fake pages for banks or social-media sites.

Many people would assume their computer to be the weak link in a security chain, not their router.  It's easy to reset a compromised router to use the correct DNS settings, but you'd have to know your router was compromised in the first place, and by that time, it would probably be too late.

Your best recourse is instead to take a few minutes and change your router's administrative login information. Router Passwords lists default usernames, passwords and security protocols for popular routers around the world, and if yours is on this list, you need to change those credentials ASAP. The manufacturer's webpage will tell you how to do so.

So far, this attack seems to have happened only in Brazil and and to have targeted fewer than 100 people. But while each part of the process is simple to avoid, it's a rather clever exploit overall. Taking prophylactic measures with your router could be a lifesaver should this method of attack ever catch on in the rest of the world.

Marshall Honorof is a Staff Writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.