GhostDNS: 70+ different types of home routers (100,000+) are being hijacked

Published by


Over a 100K routers from brands like D-Link, MikroTik, TP-Link, Huawei and SpeedTouch are currently hijacked and have a changed the DNS server. That way traffic can be re-routed ending up at phishing sites etc.

While not a new methodology, from the 20th of September of this year a large attack was discovered by security researchers. So basically on a malicious website, a script would be executed that sniffs if your router port is open, try to log in (brute force) to your router, that changes credentials and DNS. A lot of users use the default username and password which makes them extra vulnerable. Once the criminals are able to login they change the DNS server address of the router.  Currently, the attacks are mainly active in Brazil.

The current attack, discovered by network security lab 360 Netlab, affects more than 70 different routers:

  • 3COM OCR-812
  • D-LINK
  • D-LINK DSL-2640T
  • D-LINK DSL-2740R
  • D-LINK DSL-500
  • D-LINK DSL-500G/DSL-502G
  • Huawei SmartAX MT880a
  • Intelbras WRN240-1
  • Kaiomy Router
  • MikroTiK Routers
  • Ralink Routers
  • SpeedStream
  • SpeedTouch
  • Tenda
  • TP-LINK TD-W8901G/TD-W8961ND/TD-8816
  • TP-LINK TD-W8960N

In total, more than 100,000 routers are affected by the attack of which the majority is located in Brazil. As soon as the users browse to specific websites they are redirected to phishing sites. These include online banking sites but also Netflix and hosting companies.

Once again, make sure your router firmware is up-to-date, disable external WAN access, and change your default password. 

GhostDNS: 70+ different types of home routers (100,000+) are being hijacked

Share this content
Twitter Facebook Reddit WhatsApp Email Print