Millions of Brazilian Internet users were victims of an attack that has invaded and changed the settings modems DSL (broadband), making visits to Google or Facebook, for example, were redirected to fake websites. These pages, in turn, infect your PC with malware capable of stealing bank details.
The attack infected more than 4.5 million DSL modems, said the malware analyst at Kaspersky Lab in Brazil, Fabio Assolini in the company's blog post.
The vulnerability exploited by attackers to allow the use of a code (script) easy to steal passwords and remotely access the configuration of modems. The change meant that, when entering a site like www.meubanco.com.br, Internet users were stranded on a site cloned, which inject malicious code into the system.
"This scam in action since 2011, exploits a vulnerability firmware, two malicious scripts and 40 malicious DNS servers. It affects six manufacturers of hardware, resulting in millions of Brazilian Internet users victims of a mass attack continued and silent," says Assolini .
Perfect Storm
The expert said that the mass attack was the result of a "perfect storm" caused by the omission of a variety of stakeholders, including providers, modem manufacturers, and Anatel, the agency that approves your network devices, but not testing the safety of any of the modems (however, not making this assignment the agency verification).
It is still unclear which manufacturers and models of modem are susceptible to attacks. Assolini explains that vulnerability, released in early 2011, seems to be caused by a driver from chipset modems using Broadcom hardware.
The expert does not know exactly when, but attackers began exploiting the flaw successfully against millions of Brazilians modems. Besides pointing devices for malicious DNS servers, they also changed the passwords on the device to make it harder for victims to patch the change.
Site-clone Facebook asks installing malicious plugin
The attacks were recorded in six modems manufacturers, five of which are popular in Brazil. "The negligence of manufacturers and providers and ignorance of official bodies of the government created a" perfect storm, allowing cybercriminals to attack at will, "the expert wrote.
Only one of the 40 DNS servers used in the attack - most outside the country - revealed that more than 14 thousand accessed the victims. Assolini exhibited an online conversation in which one of the attackers said to have gained "more than 100,000 real" and would use the money to travel to Rio de Janeiro in the company of prostitutes.
Protection
As the strike reaches modems, there is not much that the average user can do to avoid it. One tip is to update the firmware of the device - for that, see the instructions in the manual. If you suspect you are visiting a site cloned - for example, Facebook or Google asks to install a plug - check out how to reset the modem to factory settings.
The attack infected more than 4.5 million DSL modems, said the malware analyst at Kaspersky Lab in Brazil, Fabio Assolini in the company's blog post.
The vulnerability exploited by attackers to allow the use of a code (script) easy to steal passwords and remotely access the configuration of modems. The change meant that, when entering a site like www.meubanco.com.br, Internet users were stranded on a site cloned, which inject malicious code into the system.
"This scam in action since 2011, exploits a vulnerability firmware, two malicious scripts and 40 malicious DNS servers. It affects six manufacturers of hardware, resulting in millions of Brazilian Internet users victims of a mass attack continued and silent," says Assolini .
Perfect Storm
The expert said that the mass attack was the result of a "perfect storm" caused by the omission of a variety of stakeholders, including providers, modem manufacturers, and Anatel, the agency that approves your network devices, but not testing the safety of any of the modems (however, not making this assignment the agency verification).
It is still unclear which manufacturers and models of modem are susceptible to attacks. Assolini explains that vulnerability, released in early 2011, seems to be caused by a driver from chipset modems using Broadcom hardware.
The expert does not know exactly when, but attackers began exploiting the flaw successfully against millions of Brazilians modems. Besides pointing devices for malicious DNS servers, they also changed the passwords on the device to make it harder for victims to patch the change.
Site-clone Facebook asks installing malicious plugin
The attacks were recorded in six modems manufacturers, five of which are popular in Brazil. "The negligence of manufacturers and providers and ignorance of official bodies of the government created a" perfect storm, allowing cybercriminals to attack at will, "the expert wrote.
Only one of the 40 DNS servers used in the attack - most outside the country - revealed that more than 14 thousand accessed the victims. Assolini exhibited an online conversation in which one of the attackers said to have gained "more than 100,000 real" and would use the money to travel to Rio de Janeiro in the company of prostitutes.
Protection
As the strike reaches modems, there is not much that the average user can do to avoid it. One tip is to update the firmware of the device - for that, see the instructions in the manual. If you suspect you are visiting a site cloned - for example, Facebook or Google asks to install a plug - check out how to reset the modem to factory settings.