A new variant of router malware has been discovered by Ara Labs, and it is designed to inject ads and pornography into websites. The malware modifies the router’s DNS settings to intercept Google Analytics tags and replace them with malicious content.
Because a number of websites use Google Analytics for traffic data, they are prime targets for a DNS attack. For the fraudsters, there’s plenty of potential for income – the attacker can sell ad spots to generate revenue. Assuming an individual infects numerous routers, this can result in a large sum of money.
The malware variant is easily finding its way into routers due to the fact that many owners do not change their router’s login credentials. It can also send unauthenticated configuration requests to certain devices that are vulnerable to an attack.
Ara Labs has not specified which routers are being exploited at the moment.
This type of malware has been around for years, according to experts. There have been several reports published on DNS attacks, but they continue to be problematic.
When a hijack is successful, the DNS settings on the router are changed to point to a rogue DNS server controlled by the attacker. With this access, a fraudster can substitute a correct IP for the IP of a server that is under his or her control. This means that when you think you are visiting a certain domain, you may actually be connecting to a hacker’s server.
Proactive updates are the best protection – you should ensure that your router’s firmware is fully patched, and change your default credentials as soon as possible.