Router Hack Inserts Ads And Porn Into Websites

Fraudsters are using hijacked router DNS settings to intercept Google Analytics tags and replace them with pornography and adverts.

This is the warning from security experts Ara Labs Security Solutions, which discovered the router hack which is injecting third party content into random websites.

Router Hack

“For victims whose router has been compromised this has the effect of injecting ads and pornography into every site that they browse that uses Google Analytics,” blogged researcher Sergei Frankoff.

Frankoff discovered that once a router DNS hijack is successful, the DNS settings on the router are changed to point to a rogue DNS server controlled by the attackers.

“If an attacker controls the DNS server that you are using to lookup an IP they can substitute the correct IP for the IP of a server that is under their control,” he warned. “Then you might connect to this IP thinking that you are connecting to a certain domain when in fact you are connecting to a server controlled by the attacker.”

But to make matters worse, the compromised router then has the potential to wreak damage by utilising Google Analytics traffic tracking tags. It should be remembered that Google Analytics is a service that provides the ability to track and analyse website traffic. Webmasters often enable Google Analytics by embedding the analytics tag on their website.

But unfortunately, this makes the tags a perfect target for the fraudsters to inject malware into.

“In previous cases of router DNS hijacking the criminals have used the rogue DNS server to spoof the location of banking websites in an attempt to intercept banking traffic,” blogged Frankoff. “In this case, the fraudsters are using the hijacked DNS to intercept requests to the google-analytics.com domain, then directing the victim to a fake Google Analytics site. When the victim requests the Google Analytics javascript from the fake site they are served malicious Javascript that injects ads into the site they are browsing.”

The adverts can sometimes be pornographic in nature.

So what can users do to protect themselves? Well the advice is that the router DNS hijacking malware is taking advantage of default credentials on the routers, as well as bugs that allow unauthenticated configuration requests to be sent to the routers.

Users are advised to keep their router firmware up to date, and to change the default credentials.

Malware Threat

Routers have increasingly become a point of vulnerability nowadays to hackers.

In December for example Avast warned that home Wi-Fi routers were increasingly being targeted by hackers. And last month Proofpoint warned of spam email that contained links that would hack homeowners routers.

Earlier in the year mobile operator EE admitted to a flaw in the Brightbox routers it provides to the home broadband customers that could allow a hacker to remotely access user’s account and personal information.

What do you know about Internet security? Find out with our quiz!