Attackers Targeting Dlink DSL Modem Routers ; Exploiting Them To Change The DNS Settings

Certificate Warning on Fake Site

At the point when the user attempts to connect to a website on the internet, they first question a DNS server to determine a hostname like to an IP address like

Their PC at that point associates with this IP address and starts the coveted connection. In this way by changing the name servers utilized on the router, users are diverted to fake and malignant sites without their insight and made to believe that these sites are indeed legitimate and dependable.

The pernicious URL takes the following form:


at the point when the exploit permits unauthenticated remote configuration of DNS server settings on the modem router.

Radware’s research stated that – “The uniqueness about this approach is that the hijacking is performed without any interaction from the user, phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser have been reported as early as 2014 and throughout 2015 and 2016. In 2016, an exploit tool known as RouterHunterBr 2.0 was published on the internet and used the same malicious URLs, but there are no reports that Radware is aware of currently of abuse originating from this tool.”

The researcher’s state that the attack is deceptive as the user is totally unaware of the change, the hijacking works without creating or changing URLs in the user’s browser.

A user can utilize any browser and his/her consistent regular routes, the user can type in the URL physically or even utilize it from cell phones, for example, a smart phone or tablet, and he/she will in any case be sent to the vindictive site rather than to their requested for site since the capturing viably works at the gateway level.

Radware along these lines , recommends users to utilize the to check their router’s configured DNS servers, with the goal that they can alone decide whether there are servers that look suspicious as they won’t be relegated by their internet service provider.

Leave a Reply