EXCERPT: Stefan Tanase, principal security researcher at Ixia, told Ars that the DNS servers described in this article were taken down and that the attackers have replaced them with new DNS servers. Ixia analyzed the rogue DNS server and found it targets the following domains: GMail.com, PayPal.com, Netflix.com, Uber.com, caix.gov.br, itau.com.br, bb.com.br, bancobrasil.com.br, sandander.com.br, pagseguro.uol.com.br, sandandernet.com.br, cetelem.com.br, and possibly other sites. People trying to reach one of these domains from an infected router will be connected to a server that serves phishing pages over plain HTTP.
Below is how cetelem.com.br appeared in Firefox on a machine configured to use one of the malicious DNS servers.
What follows is this article as it appeared on Thursday, 4/4/2019, 2:59 PM:
A wave of DNS hijacking attacks that abuse Google’s cloud computing service is causing consumer routers to connect to fraudulent and potentially malicious websites and addresses, a security researcher has warned.
By now, most people know that Domain Name System servers translate human-friendly domain names into the numeric IP addresses that computers need to find other computers on the Internet. Over the past four months, a blog post published Thursday said, attackers have been using Google cloud service to scan the Internet for routers that are vulnerable to remote exploits. When they find susceptible routers, the attackers then use the Google platform to send malicious code that configures the routers to use malicious DNS servers…