Web

New JavaScript attack infects your phone and changes your router's DNS settings

javascript malware mobile theater smartphone
Loganban/123RF
Security firm Trend Micro has discovered an attack on home routers that involves malicious JavaScript, a mobile website, and a mobile device such as a smartphone. This attack has been taking place since December 2015, and so far focuses on Taiwan, Japan, and China. However, the United States is fourth on the attack list, so be prepared.

According to the report, a compromised mobile website can contain JavaScript that downloads another JavaScript with DNS changing routines to the visiting mobile device. Although this JavaScript can also be downloaded on a computer, the infection depends on the user’s medium — for example, JS_JITONDNS only infects mobile devices and triggers the DNS changing routine, while the JITON infection is triggered only if the user has a ZTE modem.

An examination of the code reveals that hackers are targeting routers sold by well known manufacturers such as D-Link, TP-LINK, and ZTE. The report points out that TP-LINK currently owns 28 percent of the router market while D-Link is in the top 10 with a seven percent market share. Given D-Link is based out of Taiwan and TP-LINK is in China, Trend Micro isn’t surprised by the high number of attacks in those regions.

“Cybercriminals behind this incident employ [an] evasive mechanism to go off the radar and continue the attack without arousing any suspicion from affected users. Such tactics include regularly updating the JavaScript codes to fix errors and constantly changing targeted home routers,” the report states. “The compromised websites are difficult to pinpoint due to the lack of any suspicious behavior.”

The DNS settings of a router can be overwritten thanks to the JavaScript code containing more than 1,400 login combinations, including a list of common passwords. There is also code in the JavaScript that can overwrite DNS settings by exploiting a specific vulnerability that currently exists in ZTE-based routers. Ultimately, hackers can remotely send any arbitrary command with administrator privileges to the router when it has been compromised.

However, Trend Micro specifically points out that the DNS changes can only be made if the victim accesses a compromised website on their mobile device. To prevent hackers from gaining control of their routers, all consumers need to do is to keep their home networking router’s firmware up to date, and to avoid using the default ID and password provided with the device when it shipped (like “admin” and ‘password”).

“Often times, people overlook the importance of keeping the firmware updated,” the report adds. “Administrative devices especially in the age of IoT are vulnerable to attacks that may pose risks to both user privacy and security. It is best to know how these smart devices operate and what kind of personal identifiable information these devices may collect.”

The list of countries affected by this mobile attack also includes France, Canada, Australia, Korea, Hong Kong, and the Netherlands, as Trend Micro reveals in a chart.

Attacks on home routers aren’t anything new although this version seems to be surfing the mobile trend in an emerging Internet-of-Things (IoT) world. Hackers can do all sorts of things with compromised routers including establishing a botnet, and programming specific DNS settings that send clueless victims to malicious websites. Unfortunately, most smartphones and tablets aren’t protected like desktops, so this new mobile JavaScript-based hack is certainly alarming to say the least.

Mobile

5G your old phone: HTC’s 5G Hub is now available for pre-order from Sprint

HTC almost made a phone. The HTC 5G Hub runs Android 9 Pie, has a Qualcomm 855 processor with the X50 modem, 4GB of RAM, and an HD touchscreen -- but it's a hot spot designed to connect to 5G networks.
Health & Fitness

Forget foam. This fluid-filled helmet mimics your brain to protect your head

Fluid Inside is a protective system for designed to prevent injuries not only to the skull of an athlete but brain trauma as well using an innovative approach that is adaptable to cycling, skiing, hockey, and other sports.
Emerging Tech

The best solar chargers for your phone, tablet, and other battery-powered gear

Looking for a gizmo that can help you charge your phone while on the go? Here, we've outlined the best solar chargers on the market, whether you're looking to charge your phone once, twice, or three times over.
Home Theater

Reasons not to mount a TV over your fireplace, and how to do it anyway

Mounting a TV above your fireplace may be popular and it might even seem appealing, but we have some concerns. We've got a list of reasons why placing your digital picture machine over a fire should be avoided, if at all possible.
Smart Home

Get your spring in full swing with 10 gadgets to clean and declutter your home

Spring cleaning is like every chore you hate to do, multiplied by 10. Luckily, technology is here to help, in some situations. These gadgets will make the tasks go a little faster. We hope.
Business

The 15 best tech jobs boast top salaries, high satisfaction, lots of openings

May may be coming to an end, but the bonanza of tech jobs just keeps coming. High paying jobs abound at companies where people love to work. If you’re not satisfied with your current situation or are ready to make a change, this is a…
Social Media

A fond farewell to Grumpy Cat, the internet’s most famous feline

We say farewell and fondly remember Grumpy Cat, the internet's famous frowning feline and a genuine sweetheart, who died at the age of seven. Even tempered and tolerant, Grumpy Cat was in real life the opposite of her online persona.
Social Media

Be the master of your own Insta-verse with multiple Instagram accounts

Whether you own a small business or have separate Instagram accounts for your five cats, we'll walk you through the process of switching between your multiple accounts on your Apple or Android devices.
Movies & TV

Tired of Netflix? Here's where to find free movies online, legally

We've spent countless hours digging around the web to find the best sites for streaming free movies online. Not only are all of these sites completely free to use, they're also completely legal and trustworthy.
Web

Gmail logs your purchase history, undermining Google’s commitment to privacy

Google has tried to portray itself as privacy-focused. But a new report shows Google tracks many of your online purchases, even if they are bought from a non-Google affiliated store like Amazon.
Computing

Whether you want to edit, sign, or append, PDFs, these are the best PDF editors

While there are plenty of PDF editor options online, finding a solution with the tools you need can be tough. Here are the best PDF editors for your editing needs, no matter your budget or operating system.
Web

Creators of WhatsApp attack software face lawsuit from Amnesty International

This week a spyware attack was launched on WhatsApp. Now the Israeli firm linked to that attack is facing a lawsuit from human rights NGO Amnesty International, alleging their software has been used to surveil human rights defenders.
Social Media

Millions of Instagram influencers reportedly had private data exposed online

As many as 49 million Instagram influencers have reportedly had their private data exposed in an online database that had no password protection. The database was apparently created by a marketing firm and has been taken offline.
Emerging Tech

Elon Musk thinks Starlink satellite internet could be online before 2021

Elon Musk's ultra-ambitious Starlink space internet project may take until November 2027 to be fully operational. However, some level of service could be offered as soon as next year.