In December 2015 one of clients asked us to look at some strange issues they were getting when trying to log in to sites like Amazon.co.uk. It became apparent quite quickly that the page they were seeing when visiting Amazon was not the real site. We performed all the usual virus checks and tests but were unable to find anything unusual on their computers and laptops.
Further investigation led us to their Netgear router which was provided to them as part of their rented office space. Someone had managed to log in to their router and put in fake addresses for the DNS (Domain Name System) settings. This meant when they typed in Amazon.co.uk or ebay.co.uk, instead of being taken to the legitimate website, they were in fact being re-directed to the hackers own server.
The hacker had created pages that were identical to those of eBay and Amazon. The only difference being that when you tried to login you were told that your credit card information needed to be validated. This happened each and every time you logged in, no matter if you had just confirmed your details moments ago (as unfortunately our client had).
We immediately advised our client to change their router and contact the managers of the rented office to let them know of the hack as it will have affected everyone in the serviced building.
Being the curious Monkeys we are, we didn’t stop there. We did some digging with regards to the fake DNS addresses and managed to find the hackers main website. On the website were lists of IP address, usernames and passwords for over 11,500 routers and modems. A quick test showed that these were still live and active and that the usernames and passwords listed were correct.
More worrying was that when refreshing the page it was clear this was still an active hack. The page was being updated every 5 minutes.
Obviously we immediately contacted the police and after some brief confusion we were directed to Action Fraud (http://www.actionfraud.police.uk/), where we reported the details of the hack and were told it would be looked in to.
However we were unable to contact the owners of the routers themselves as the online database did not contain any personally identifiable information, other than an IP address which can’t easily be traced back to the user.
However being the helpful Monkeys that we are, we did the next best thing. We have created a searchable online database to find out if you are on the list. http://bit.ly/22oCRay
If you are on the list then you will be given instructions on how to resolve the issue and keep yourself safe in the future.
- Keep you hardware and software up to date. If there’s an update available then you should run it.
- Change your default passwords. Never leave these at defaults
- Disable all remote access to your router
In this instance the most important item above was updating the router. NetGear and other router manufacturers released an advisory in October 2015 (http://bit.ly/1ObU10l) which explained a security flaw in their hardware. This is exactly the method used by the hacker in this case.
