February 26, 2015

In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims.

tp-link WDR4300Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam campaign sent to a small number of organizations and targeting primarily Brazilian Internet users. The emails were made to look like they were sent by Brazil’s largest Internet service provider, alerting recipients about an unpaid bill. In reality, the missives contained a link designed to hack that same ISP’s router equipment.

According to Proofpoint, the link in the spam campaign led to a page that mimicked the telecom provider. The landing page included code that silently attempted to execute what’s known as a cross-site request forgery attack on known vulnerabilities in two types of routers, UT Starcom and TP-Link. The malicious page would then invoke hidden inline frames (also known as “iframes”) that try to log in to the administration page of the victim’s router using a list of known default credentials built into these devices.

If successful, the attacker’s script would modify the domain name system (DNS) settings on the victim’s router, adding the attacker’s own DNS server as the primary server while assigning the secondary DNS server to Google’s public DNS (8.8.8.8). Such a change would allow the attackers to hijack the victim’s traffic to any Web site, redirecting it away from the legitimate site to a look-alike page designed to siphon the victim’s credentials. In the event that the attacker’s DNS server was unresponsive for any reason, the victim’s router would still function normally.

The malicious script used by the spammers in this campaign tries multiple default multiple default credentials in a bid to hijack routers with factory-default settings. Image: Proofpoint.

The malicious script used by the spammers in this campaign tries multiple default credentials in a bid to hijack routers with factory-default settings. Image: Proofpoint.

The real danger of attacks like these is that they bypass antivirus and other security tools, and they are likely to go undetected by the victim for long periods of time.

“There is virtually no trace of this thing except for an email,” said Kevin Epstein, vice president of advanced security and governance at Proofpoint. “And even if your average user knows to look at his router’s DNS settings, he’s unlikely to notice anything wrong or even know what his normal DNS settings should be.”

Many modern routers have built-in defenses against such attacks (including countermeasures known as CSRF tokens), but new vulnerabilities in existing routers — even recent model routers — are constantly being uncovered. I asked Proofpoint whether such protections — or security improvements built into most modern browsers — would have stopped this attack. Their experts seemed to think not.

“The routers being attacked in our example were not so diligent and so were vulnerable to this attack,” Proofpoint’s lead analyst wrote in an email response to my question. “What you’re likely thinking of is the cross-origin policy, which is designed to prevent attacks similar (but not identical) to this one (it mostly focuses on javascript). In this case, iframes are permitted by default, so modern browsers (by design) will happily participate in the attack we documented.”

In any case, I hope it’s clear by now that leaving the default credentials in place on your router is merely inviting trouble. Last month, I wrote about how the botnet used to take down Sony and Microsoft‘s online gaming networks was built on the backs of hacked home routers that were all running factory-default administrative credentials.

If you haven’t changed the default credentials on your router, it’s time to do that. If you don’t know whether you’ve changed the default administrative credentials for your wired or wireless router, you probably haven’t. Pop on over to routerpasswords.com and look up the make and model of your router.

To see whether your credentials are the default, you’ll need to open up a browser and enter the numeric address of your router’s administration page. For most routers, this will be 192.168.1.1 or 192.168.0.1. This page lists the default internal address for most routers. If you have no luck there, here’s a decent tutorial that should help most users find this address. And check out my Tools for a Safer PC primer for more tips on how to beef up the security of your router and your Web browser.

Read more about this attack at Proofpoint’s blog post.


43 thoughts on “Spam Uses Default Passwords to Hack Routers

  1. Donald J Trump

    The factory-default administrative credentials on any home router needs to be changed to something using a base-64 encoding for the password. The use of some type of network intrusion detection should be built into each and every router sold on the market to warn people of unauthorized access.

    1. CooloutAC

      My router gets a failed log in attempt like every 5 minutes lol

    2. David Longenecker

      +1 for an IDS. Since most consumer routers don’t have one built-in, it’s not a bad idea to set up a stand-alone IDS. Even if it doesn’t detect the actual attack on the router, if you know what DNS you *expect* clients to use, you can flag attempts to use some other DNS. That’ll catch quite a few types of name service abuse attacks.

        1. CooloutAC

          I still don’t understand how an IDS is helpful for anyone. So maybe my 500 attempts a day is not normal. I’d still say the avg person is getting at least 100 attempts a day. Am I wrong? Do you really want 100 emails or logs a day? what is that going to do for you?

          I would go with an IPS, which just rejects traffic instead of just logging it. Which really only commerical enterprise routers have, and not many home routers are capable. Some home routers do have firewalls which is essentially the same thing. But they are not as configurable.

          But something like SNORT which is constantly updated with new rules to defend against new attacks, and highly configurable, would be my choice. But you can’t put it on a home router. You would only be able to put it on a local machine. Or else buy an enterprise hub, but in a case like verizon fios, it has an ONT, and you also need their router in front for certain things like dvr, (as far as I know) so it wouldn’t make one bit of difference anyways.

  2. Patrick

    I actually “poisoned” my own DNS the other day to see what this was set up to do after. The page I found these exploits on, http://192 . 187 . 118 . 228/img.php, actually behaves a little differently than the one you describe. It sets the primary DNS to 134.19.176.13, and the secondary to 173.208.175.178.

    I made five cURL requests to Google, the New York Times, Wells Fargo’s online banking page, Ebay, and Viagra before and after the DNS switch. Maybe they ignore IPs outside of Brazil, or maybe you have to “register” with their botnet (I saw another link in the page, http://whos . amung . us/pingjs/?k=ke06092014&t=&c=t&y=&a=0&r=64110, that seems to possibly be for that purpose), but none of the five requests showed any changes.

    I’ll try to test this out again as I think of more; this is my first time doing anything like this. Fun stuff!

  3. B_Brodie

    There is no ‘administration page’ for apple routers. you must use the admin application for the specific model.

    If you have an older model but run the latest MacOS, you can google “AirPort Utility 5.6.1 Launcher” and look for information displayed at the website “http://coreyjmahler.com/”

    This allows new computers to update prior hardware versions. If you’re doing this, don’t respond to the request to update the AirPort Utility, or you won’t be able change your router settings.

    (It’s a feature, not a bug)

  4. Rosemary

    Hi Brian. An FYI, on the new Netgear routers you can change the password only. The username cannot be changed.

    1. Generic Router Statement

      That’s true of a lot of routers, both consumer and business oriented models.

    2. Sasparilla

      Saw this on my Netgear (default is admin for name) and you can’t change it – absolutely horrible as they’ve given the bad guys 1 out of the 2 things they need. At least we can turn off remote admin on the thing….

      Something I do now is have all my network equipment on a surge protector, which I switch off before I go to bed – that way they’re not out there to be “worked” on while I sleep and the other side of the world is awake. Limiting your exposure (timewise) is one way to reduce your vulnerable “surface” area.

    3. CooloutAC

      wow thats crazy. I use to have a netgear many years ago, but the model I had kept getting literally destroyed to the point it would just keep blinking on and off. No matter how many times I replaced it.

  5. am

    What do the less-than-savvy people who can barely handle e-mail do? Are there any really, really…really easy to understand resources for them? I talk to a lot of inexperienced and elderly people who have problems understanding computers in general, and I don’t even know how to explain the situation in a way they will understand, let alone how to fix it. (No disrespect to either group, they are both fierce and gifted at what they do, just not technologically speaking.)

    1. Dirgster

      I am one of those older generation-people who, at times, struggles to understand new technology. I use AT&T’s U-verse service that comes with an ARRIS modem/router. Are those particular routers protected through AT&T to keep you safe from hackers?

      1. pboss

        If anything, you may be worse off because you may not even be able to access the router settings.

      2. Sasparilla

        About 8 years ago, I had signed up for AT&T and was given their router – I checked on its firmware, it was old ,there was an actual exploit in the wild on it and an update existed.

        I could not update it and AT&T wouldn’t update it either…so back it (& the AT&T service) went…now such a thing would be viewed through the backdoor for the NSA lens (since they’ve worked hand in glove with them)…it was very discouraging.

        1. Bob

          You are fortunate that you had a choice of ISPs. I live in one of the 10 largest cities in the U.S. and less than half the people have a choice of ISPs, and none of the people who live in apartments have a choice.

      3. Eric

        Just two cents here with my own experience with AT&T. For several recent years I was appalled at the number of provided modem/routers with predictable ESSIDs and only WEP encryption! My most recent tech support for someone who had to replace their router I was pleased to see that not only are the provided one’s running WPA2, but the DEFAULT password, while physically on the side of the modem on a sticker, was a complex alpha/numeric/symbol chain in camel case. It seems that at least some of the providers are slowly catching up, but only with the newest of hardware.

  6. Keith R Warner

    Another “flashback to WaPo, Brian. Back then you showed a map of where guys drove around with laptops recording unsecured routers – thank you, this noob found my Verizon DSL router set to ADMIN / PASSWORD (and no mention of security on the slip of paper explaining “WEP”.

  7. DelilahPerez

    I fell for one of these phishing scams about ten years ago. I got an email that appealed to my intellect – the sender used big tech words that I understood, explaining that my bandwidth had been compromised and there was suspicious activity detected from my IP address. “Click on this link for instructions on how to remove the problem.” Ha. I did. It was a PDF file with a Trojan .exe file embedded into it. I got exactly what I deserved for being stupid, and it took me all weekend to reformat my hard drive and reinstall everything after discovering there was no easy way to remove this particular virus. I think I was an AVG or Norton customer at the time, can’t remember which one, but neither service was able to detect or do anything about removing this specific computer virus. I’m the person who educates other people and fixes their computers after they (or more often, their kids) do something stupid and end up with a virus infecting their computer. So it was damned funny that I fell for this stupid email scam.

    1. JCitizen

      Thanks for posting! Don’t feel bad, it seems the smartest among us can fall faster for cleverly couched scams, if we don’t count to 10 and think about it some more. I know I’ve pulled some real winners in the past!

      If you ever find yourself or a student in the same predicament, 9 times out of 10, using a Kaspersky Rescue Disc 10, or similar network capable Linux Live CD can get you to a legitimate sight in the PE or Linux environment to download TDDSKiller, and end any processes that may be of these types:

      Hidden service – a registry key that is hidden from standard listing;
      Blocked service – a registry key that cannot be opened by standard means;
      Hidden file – a file on the disk that is hidden from standard listing;
      Blocked file – a file on the disk that cannot be opened by standard means;
      Forged file – when read by standard means, the original content is returned instead of the actual one;
      Rootkit.Win32.BackBoot.gen – a suspected MBR infection with an unknown bootkit.

      Generally you want to quarantine and in the case of an MBR rootkit repair or restore the MBR as a selection in the mitigation process. I like to use a Hiren’s boot CD(USB) device with many tools on board and MBAM’s anti-root kit, as it seems to do a better job diverting damage done by backdoor gen type infections, that can be very malicious to attempts at removal.

      1. DelilahPerez

        Thank you, JCitizen. This is information I can put to use.

  8. DelilahPerez

    I should add that I realized almost instantly what had happened, because I had an (allegedly) tech background, and I was able to mitigate the damage the hacker might have otherwise caused. Literally in front of my eyes, warning messages were flashing on my computer screen about my router (it’s been so long, I forget exactly what those messages were). But it really is a legitimate question to ask: What about most people, who aren’t tech geeks?

    1. SeymourB

      Hopefully, if they’re good computer users, they hit the power switch and call someone knowledgeable.

      If they’re bad computer users, they try to act like nothing happened (AKA don’t know what happened it was like that when I got here, etc.).

      I once had a particular sales rep who (and this will date me) was notorious for plugging his phone line into his network card and, in the process, short out his network card. Every last time he played dumb. When you plug an RJ-11 (phone) into an RJ-45 (network) port it bends down the outer pins, so you know that’s what happened, but oh no, I certainly didn’t do that. It got to the point where we made him use an external network adapter to limit the amount of damage he did, then kept a number of them on hand so every time he came in we would just give him a different one (sometimes we could repair them, sometimes not), but we couldn’t do anything else since he was the son of one of the executives. This an illustration of why nepotism is usually a bad thing (though I’ve seen it work out fine).

  9. JCitizen

    It is good to read the new information in this part of the security battle; I know in the past it was common for me to find a client with a compromised Linksys or D-Link router that a malicious batch file had logged on to the router, and flashed the firmware with a subverted image. Talk about totally controlling the victim’s web world! Sheesh!

  10. Mike

    I would recommend using a dedicated server for routing and remove any store bought router from the network. It would be better to not use WiFi either.

    Nothing is completely invulnerable. Any thought of any device or action making a user 100% safe would be unrealistic. But, there are things to do and things to NOT do.

  11. Gavin

    Fascinating site. I was just informed today from company.. I used some time ago to purchase somethink. That they had someone trying to log into a ther forum. They sent me the I.P address 183.216.243.209. Ok they didnt do damage but the intent is ther. They obviously hacked me in some way. Isnt ther some way to report these online to some organisation? great site gives me some idea.s.But I religiously scan every day with two well known malaware software and anit virus etc had no effect anyway. thanks!

  12. S. Keeling

    Of course, my router fails to make that list. Made in China, for my cable provider. Perhaps that’s a good thing.

    1. Dave

      I’ve never seen any significant vulns on my routers (Draytek) either, but I’m never sure whether that’s because they’re reasonably good (Draytek do try and distinguish themselves through good engineering) or whether they’re obscure enough that the attackers don’t target them.

      1. CooloutAC

        They also don’t let you access admin settings with wireless, nor do they have a default username or password. Which is Very cool.

  13. Mike

    Ha, I’ve come across about 20 actiontec v1000’s compromised like this in the past three months. At first name resolution was just broken, but then I started seeing iPads and only iPads redirecting to porn sites and opening up fake app stores. Secondary DNS was a Netherlands address though. Primary was Russian. For whatever reason actiontec thought admin creds and no firewall was a good default setting for those modems. One thing I can’t be certain of, whether or not the initial attack was from a spam campaign. Interesting read, I had been wondering about this for some time.

    1. SeymourB

      Sometimes they get compromised through remote configuration/access services that are enabled by default, or enabled by users who don’t understand what they’re doing, other times it’s when a compromised system gets attached to the network and the botmaster scripts an attack against the router, still other times it’s an app that opens up port forwards in the router via uPNP that has a vulnerability that lets them accomplish the same thing on an otherwise uncompromised system. There are many ways to get in, and default credentials won’t hold an intruder back for very long at all.

  14. Fascist Nation

    Hummmmm. I would not have thought this possible. But I can now see the mechanism. I never bothered to change the default name/password since only someone breaking into my home had access to my wired network and therefor my router menu. But now perhaps I am wrong.

  15. Eirhost

    It just goes to show how difficult it is for non techie people to keep secure.

    There was a time when the default password as 0000 everywhere and I have to admit to not having a password on my router at all to save time when laptops were everywhere and I couldn’t be bothered giving out wifi passwords to visitors.

    Unfortunately those days are long gone

  16. John S

    Still amazes me how many stay with default passwords. I generally think people hate passwords and we know many they choose are not much better then the defaults. I wondered how long it would take before the focus was on network routers which are very common in people’s networks these days and many times have poorly managed passwords, lousy firmware and end users who don’t want to address these issues.

  17. Tim

    One does not have to be tech savvy to protect themselves. Users need only 1) Use a good passphrase strategy (phrases using periods, spaces or other special characters between words, sub some numbers for letters, and make them LOONNGG) for each device or net account, 2) – Never, ever click an email link but use pre-established browser bookmarks, and 3) Never respond to ‘urgent’ emails using contact information on that email. Call that special someone on the phone or go to their legitimate website for answers. If everyone did this for their personal business, we may not be having this discussion. As for business, management must know how much breaches cost in time, money, and reputation in terms they understand. $$$. Nothing else matters to an MBA or a CEO. No business wants to think of buying insurance after the fire because at that point, risk has just become an event. That’s where information security professionals need to do their job. If all we can tell management is ‘I told you so’, we’ll get blamed for not communicating the risk effectively which is really the case.

    One can think of more elaborate protections, but basic hygiene goes a long way. If it’s default, it’s your fault.

  18. frank kelly

    Went to install a new computer at a friend’s house today. Roadrunner (NYCAP) was just finishing installing a cable modem. The installer had no clue that the router had a userid and password or that they were separate from the wireless network ssid and password. The router username was admin and the password was “password”. Sigh.

    Knowing that I could go to 192.168.0.1 and change it but so-called end users aren’t going to know or do that. It wouldn’t take much for Roadrunner to implement reasonable security practices and modify the passwords to be unique for each user and leave a printed copy behind in case the user or the user’s tech person needs to get in.

    If national based companies like Roadrunner don’t implement security policies it’s hopeless to think that normal users will.

  19. JC

    Gee ,so thats why ive never been hacked in a decade!

    i constantly change passwords for my routers and reset them at random.

    lulsec,lizzardsquad,anon,HA!

    amateurs.

  20. Henry Halwell

    another backdoor article in router which is talk by nothing is secure we need a better way

Comments are closed.