The goal of a web-based attack is to change Domain Name System (DNS) settings in home routers with malicious DNS servers that direct to phishing pages of financial institutions.
The modifications occur when victims end up directed to malicious websites carrying adult content, which run scripts in the background. These contain links pointing to local IP addresses generally assigned to home routers and a specific DNS configuration (“dsncfg.cgi”).
Some users may see a request to log into the router configuration, Fabio Assolini from Kaspersky Lab said in a blog post.
However, this depends on the strength of the access password, because the scripts also have brute-forcing capability, and they first attempt to guess the credentials on their own.
It appears they run pretty basic combinations (admin:admin, root:root and admin:gvt12345), so a complex passcode should cause a login dialog to pop up.
Also present in the scripts are commands for changing the primary and secondary DNS servers.
Users end up tricked into accessing the malicious links via an email claiming to provide photo evidence the victim did something wrong. Kaspersky systems recorded 3,300 clicks on the malicious links, most of them traced to Brazil, although the U.S., China, Canada and Mexico also appeared on the map.