Researchers said they have uncovered yet another mass compromise of home and small-office wireless routers, this one being used to make malicious configuration changes to more than 300,000 devices made by D-Link, Micronet, Tenda, TP-Link, and others.

The hackers appear to be using a variety of techniques to commandeer the devices and make changes to the domain name system (DNS) servers used to translate human-friendly domain names into the IP addresses computers use to locate their Web servers, according to a report published Monday by researchers from security firm Team Cymru. Likely hacks include a recently disclosed cross-site request forgery (CSRF) that allows attackers to inject a blank password into the Web interface of TP-Link routers. Other attack techniques may include one that allows wireless WPA/WPA2 passwords and other settings to be remotely changed.

So far, the attacks have hijacked more than 300,000 servers in a wide range of countries, including Vietnam, India, Italy, Thailand, and Colombia. Each compromise has the potential to redirect virtually all connected end users to malicious websites that attempt to steal banking passwords or push booby-trapped software, the Team Cymru researchers warned. The campaign comes weeks after researchers from several unrelated organizations uncovered separate ongoing mass hacks of other routers, including a worm that hit thousands of Linksys routers and the exploit of a critical flaw in Asus routers that exposes the contents of hard drives connected by USB.

Yet another recently discovered campaign targeting online bank customers in Poland worked in part by modifying home routers' DNS settings. In turn, the phony domain name resolvers listed in the router settings redirected victims' computers, tablets, and smartphones to fraudulent websites masquerading as an authentic bank service. The malicious sites would then steal the victims' login credentials. The router "pharming" attack reported by Team Cymru appears to be part of a distinct campaign given its much larger size, geographic diversity, and the fact that so far there are no indications that DNS lookups for banking sites are affected.

"The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability," Monday's report stated. "The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group."

Have I been hacked?

The telltale sign a router has been compromised is DNS settings that have been changed to 5.45.75.11 and 5.45.76.36. Team Cymru researchers contacted the provider that hosts those two IP addresses but have yet to receive a response. The researchers also privately contacted representatives of all manufactures of routers being successfully hacked in this latest campaign.

Monday's report is the latest to underscore the growing real-world attacks that target weaknesses in routers, modems, and other devices running embedded software. Once the domain of computers running Microsoft operating systems, these hacks in some cases exploit software bugs in the underlying code. In other cases, they seize on the use of default passwords or other errors made by the people using the targeted devices.

"As embedded systems begin to proliferate in both corporate and consumer networks, greater attention needs to be given to what vulnerabilities these devices introduce," the Team Cymru researchers wrote. "Security for these devices is typically a secondary concern to cost and usability and has traditionally been overlooked by both manufacturers and consumers."

Given the increasing success in compromising home and small-office routers, users should regularly review their devices to make sure they're not vulnerable to the most common types of exploits. The most important thing readers should do is to make sure the device is running the latest-available version of the firmware. Readers should also disable remote administration capabilities if they're not needed. If they are needed, users should limit the remote IP addresses that can access the router. It's also a good idea to regularly check DNS settings to ensure they haven't been altered. When possible, it can be helpful to disable a router's Web interface in favor of a command line since the interfaces are often susceptible to cross-site request forgeries and other types of attacks that target Web-programming weaknesses.

Cross-site request forgeries techniques are one of the most widely used for hijacking routers. In the past five months, several exploits have been published showing how to use them to compromise routers made by Zyxel and TP-Link. Interestingly, such attacks often must be launched from another device already connected to the targeted router. It's not immediately clear how that happens. One possibility is that an attacker website bounces malicious code off a connected device, which then relays it to the router.

Latest promotion from Eranet International Ltd.!!

HOT NEWS!!

Register .cn now,u can get 4 free!:

1.Free Web Site & E-mail

2.Free Email accounts and a Web space

3.FREE Email and URL forwarding

4.FREE DNS records management

details welcome to www.eranet.com/domain/dotcnlist.net

We have some discounts:

.cn.com       $1.99

.pw           $1.99

.com          $9.99

.cn           $17.96

Eranet International Ltd. 

www.eranet.com   www.tnet.hk

Skype: Partner Eranet

Email:support@eranet.com

MSN:cs@eranet.com

Tel:852-39995400

WhatsApp: (852) 96008286