Fotolia

Can a D-Link router vulnerability threaten bank customers?

A D-Link router vulnerability was used to send banking users to a fake site in order to steal their information. Learn more about this vulnerability with expert Judith Myerson.

Researchers at cybersecurity vendor Radware Ltd. discovered hackers using a D-Link router vulnerability to send users to a fake banking site in order to steal their credentials. What is this vulnerability and how did it enable attackers to direct victims to malicious sites?

Researchers at the Radware Threat Research Center recently found a D-Link router vulnerability that sends users to a fake banking site in order to steal their credentials.

This vulnerability is caused by a lack of authentication that enables an attacker to change the domain name system (DNS) server configuration settings in the victim's router. This allows the attacker to exploit vulnerabilities that are two years old in order to execute remote changes without alerting the victim.

During this attack, the victim manually types a URL into any browser on a phone or tablet and is redirected to the fake bank site without the attacker changing the URL in the browser address. The D-Link router vulnerability enables the attacker to exploit those routers that have not been updated in the two years since the issue was originally found. Vulnerable routers that allow unauthenticated remote DNS changes include:

  • Shuttle Tech ADSL Modem-Router 915 WM;
  • D-Link DSL-2740R;
  • D-Link DSL-2640B;
  • D-Link DSL-2780B Dlink_1.01.14; and
  • D-Link DSL-526B ADSL2+ AU_2.01.

Another D-Link router vulnerability enables an attacker to bypass authentication, but only the D-Link DSL-2730B AU_2.01 router model is vulnerable to this attack.

This past summer, the attackers changed a malicious DNS server IP to 198.50.222.136 to use the hostname for Banco de Brazil on a fake website. This created a self-signed certificate with a starting date of Aug. 1, 2018, which the Radware researchers demonstrated in their report:

$ curl -vk https://198.50.222.136/pbb/web/
* Server certificate:
*  subject: CN=WIN-EKNRP3TTHAF
*  start date:  Aug   1  19:36:40  2018  GMT
Content-Type:  text/html
Last-Modified:  Fri,  04 May  2018  00:36:26  GMT

After trying to access accounts through the fake website, victims are prompted to provide the bank agency number, their account number and an eight digit pin. The fake website then asks victims to provide a mobile phone number, a card pin and a CABB number.

With this vulnerability, If the victim enters an unsecured URL -- specifically, any URL starting with HTTP instead of HTTPS -- the browser will not warn users that the URL is not secure -- the fake website will accept unsecured connections. However, if the victim enters https://, indicating a URL using the secured HTTPS protocol, then the fake website overtakes or ignores the secured connections.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Risk management