Just by visiting a compromised site, the victim is redirected to a router exploit kit landing page, initiating the attack on their router automatically, without user interaction, in the background. Avast frequently observes malvertising infections on local websites that host adult content, illegal movies and sports.
The same rouge DNS servers 195128.124131 and 195.128.126165 detected by honeypots were also spotted in other GhostDNS campaigns this year.ĭNS hijacking leading to phishing attacksĪ router CSRF attack is typically initiated when the user visits a compromised website with malicious advertising (malvertising), which is served using third party ad networks to the site. The threat actors behind GhostDNS are trying to increase their attack success rate by scanning routers’ IP addresses via public mass scans. According to Netlab360, GhostDNS consists of a complex system with a phishing web system, web admin system, and rogue DNS system. The GhostDNS variant Novidade attempted to infect Avast users’ routers over 2.6 million times in February alone and was spread via three campaigns. The GhostDNS exploit kit is very popular in many parts of the global underground hacking scene and some of its variants belong to the most active exploit kits targeting routers in 2019. So far in 2019, Avast has stopped more than 70,000 GhostDNS attacks. Known router exploit kits used to attack routers include GhostDNS, Novidade, and in April 2019, Avast discovered SonarDNS. Earlier in the year, the Federal government agency Australian Cyber Security Centre (ACSC) made an announcement that it is aware of a global Domain Name System (DNS) infrastructure hijacking campaign and released a statement outlining best practices for how organisations can protect their systems.Ĭybercriminals use cross-site request forgery (CSRF) attacks to carry out commands without the users’ knowledge, in this case to silently modify the users’ DNS settings to perform phishing and crypto-mining attacks, or attacks via malicious ads.
0 kommentar(er)
