Cybercriminals Hijack 4.5 Million ADSL Modems in Brazil to Serve Malware

Present at this year’s Virus Bulletin conference, Kaspersky Labs researcher Fabio Assolini revealed that cybercriminals leveraged a vulnerability in the Broadcom chips of some ADSL modems to hijack browsing sessions and trick users into installing malware.

The security hole allows an attacker to perform a cross-site request forgery (CSRF) in the administration panel of the device to capture the access password. Once they obtained the password, the crooks altered the modem’s DNS settings to make sure that when users wanted to visit certain websites, they would be served malicious files.
Assolini’s paper – entitled “The tale of 1001 ADLS modems: Network devices in the sights of cybercriminals” – shows that over 4.5 million routers owned by users in Brazil were hijacked last year.

When victims wanted to visit Google, Facebook, or social network Orkut, they were presented with a pop-up message that urged them to install all sorts of Google applications, Sophos’ Graham Cluley explained in a blog post.

This was possible because the cybercrooks altered the modems’ settings to redirect internauts to one of 40 malicious DNS servers located around the world.

The malicious websites and apps pushed by the attackers from apparently-legitimate sites enabled them to steal all sorts of sensitive information, which they utilized to make a hefty profit.

For instance, one of the perpetrators told the researcher that he made around $50,000 (38,000 EUR) which he was planning to spend on trips to Rio de Janeiro. 

Even after experts discovered the cause of the large number of virus infections – which is said to have affected not only consumers, but also organizations – it wasn’t an easy task to restore the DNS settings. That’s because the cybercriminals changed the devices’ access passwords.

In order to prevent such incidents from happening in the future, Assolini believes that researchers should be more proactivewhen it comes to reporting security holes in networking devices.

Furthermore, in this particular case, there are other entities that can be blamed. For instance, ISPs often lend their customers old and flawed equipment. On the other hand, Brazil’s national telecommunications agency ANATEL isn’t testing the security of modems and routers before approving them.