In our last smart home cybersecurity roundup, we talked about the device vulnerabilities found in Linksys Smart WiFi routers and Android smartphones. This month's issue focuses on one particular type of threat that recently made headlines for surpassing 4 million hacking attempts over a two-month period: Website drive-by attacks. Keep reading to learn more about this prevailing attack method on home routers.
What are website drive-by attacks?
Before we dive in, let's discuss what these type of attacks are. Website drive-by attacks, also referred to as drive-by downloads or cross-site request forgery (CSRF) attacks, are hacking attempts made through compromised web pages or malicious browser ads.
"Drive-by Attacks are an increasingly common type of attack, used by threat actors to force the client into performing an action without the consent of the user. The key difference between Drive-by attacks and other attacks of this nature, is that they do not require any user interaction with the malicious content for the attack to be successful, which makes it incredibly difficult for users to identify and avoid this type of threat."
One form of this attack targets user home routers, exploiting or reconfiguring them. Recently, there has been an uptick in these attacks that attempt to change the Domain Name System (DNS) server settings (used by the router and in turn, all of the devices on the network) to something the attacker controls.
When this form of attack is successful, the hacker can then perform a number of actions, like:
- Redirect the user to fraudulent websites
- Steal the user's online credentials and personal info
- Inject more malicious ads on webpages that the user is visiting
And to make matters worse, this type of attack was found to be a prevailing attack method on home routers in Brazil these past few months...
4+ million website drive-by attack attempts detected by Avast Software
On July 10, 2019, global cybersecurity and antivirus company Avast Software released their research on website drive-by attacks on home routers in Brazil:
"Router exploit kits are nothing new in Brazil; a router exploit kit named GhostDNS was discovered by Netlab360 in the fall of 2018, showing more than 100K infected SOHO routers. Novidade and other variants of the GhostDNS exploit kit have also been pretty active this year, and Avast has detected a new exploit kit, SonarDNS, in April 2019."
In February and March of this year, Avast detected and blocked 4.6 million website drive-by attacks in Brazil, and also discovered that 180,000 users in the Avast user base had been successfully hacked through this type of attack.
Below is a graph by Avast showing their blocked website drive-by hacking attempts from February 2019 through May 2019:
RouterCSRF attacks blocked by Avast Web Shield.
In their findings, Avast goes on to highlight the top targeted router makes and models, and shares about the other router exploit kits they detected in Brazil.
How can I prevent a website drive-by attack from targeting my router?
To successfully carry out a website drive-by attack, it's important to note that the hacker must correctly guess the login credentials of your router or leverage a known vulnerability against it.
This highlights the importance of resetting your router's credentials to something secure and unique, and at the very least, changing from the factory set username and password. In addition to choosing a strong username and password for your router, you can also do the following:
- Disable your router's remote access feature
- Be cautious when browsing the web and clicking on ads / links
- Keep your browser, antivirus, OS software and router firmware up-to-date with the latest versions
- Use a password manager, like 1Password or LastPass, to ensure you are using strong, unique credentials across all sites
