IoT Hackers Trick Brazilian Bank Customers into Providing Sensitive Information


Radware Threat Research Center has identified a hijacking campaign aimed at Brazilian Bank customers through their IoT devices, attempting to gain their bank credentials.

The research center has been tracking malicious activity targeting DLink DSL modem routers in Brazil since June 8th. Through known old exploits dating from 2015, a malicious agent is attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server. The malicious DNS server is hijacking requests for the hostname of Banco de Brasil ( and redirecting to a fake, cloned website hosted on the same malicious DNS server, which has no connection whatsoever to the legitimate Banco de Brasil website.

Itau Unibanco, another Brazilian financial institution, hostname ( is also being redirected, although not backed by a cloned website for now. For all other DNS requests, the malicious server works as a forwarder and resolves just as an ISP DNS server would. The malicious DNS server set up by the hackers becomes an effective man-in-the-middle that provides the malicious actor with the flexibility to bring up fake portals and web fronts to collect sensitive information from users whose routers were infected.

Unique about this approach is that the hijacking is performed without any interaction from the user. Phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser have been reported as early as 2014 and throughout 2015-2016. In early 2016 an exploit tool known as RouterHunterBr 2.0 was published on the internet and used the same malicious URLs, but there are no reports that we are aware of to date of abuse originating from this tool.

The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, he or she can type in the URL manually or even use it from mobile devices such as iPhone, iPad, Android phones or tablets. He or she will still be sent to the malicious website instead of to their requested website, so the hijacking effectively works at the gateway level.

[You might also like: DNS: Strengthening the Weakest Link]

Details of the attack

From June 12th our deception network has been recording multiple infection attempts for an old D-Link DSL router exploit.

The exploit allows unauthenticated remote configuration of DNS server settings on the modem router. The malicious URL is in the form of:

/dnscfg.cgi?dnsPrimary=<malicious_DNS_IP>&dnsSecondary=<malicious_DNS_IP >&dnsDynamic=0&dnsRefresh=1

Exploits were published as early as Feb 2015 for multiple DSL routers, mostly D-Link:

  • Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change: Exploit
  • D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit :
  • D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit:
  • D-Link DSL-2780B DLink_1.01.14 – Unauthenticated Remote DNS Change:
  • D-Link DSL-2730B AU_2.01 – Authentication Bypass DNS Change:
  • D-Link DSL-526B ADSL2+ AU_2.01 – Unauthenticated Remote DNS Change:

Our deception network recorded almost 500 attempts between June 8th and August 10th. All our São Paulo based honeypots captured these attempts, without exception. The rest of our global deception network did not capture any of these attempts, meaning the malicious agent was focusing his attack on Brazilian targets only, trying to increase efficiency while staying under the radar from honeypots outside of Brazil.

Exploit attempts were performed from a handful of servers. Most of the servers were located in the U.S. but the most active and at this day the only active server is located in Brazil. Below are the 5 IPs accounting for the 500 attempts:

Originally the malicious DNS server IP used in the exploit was The IP changed to from August 2nd 2018.

Resolving the hostname for Banco de Brazil ( through the malicious DNS server:

Equally so for Itua Unibanco:

The fake cloned website for Banco de Brasil is located at and uses a self-signed certificated with a validity starting date of August 1st 2018, matching the change of malicious DNS server IP in the exploit attempts. We emphasize that that the fake cloned website for Banco de Brasil is hosted on a malicious server that has no connection whatsoever to the legitimate Banco de Brasil website.

When trying to access the account through the fake cloned website, the user is presented with a form asking for the bank agency number, account number and an eight-digit pin.

Next, the fake site requires confirmation of identity by asking users to provide mobile phone, card pin, and a CABB number.

Impact for the end-users

The banks referenced above were not directly attacked nor breached, however their users can suffer financial and private data losses through this malicious hijacking attack. The ‘only’ indicator for the user is the invalid certificate which all modern browsers clearly indicate when using secure connections. It is not even possible to access the website without explicitly confirming the “Not Secure” exception! However, the malicious website, unlike the original website, does allow unsecure connections. If the user, for some reason, bookmarked or typed a unsecured url (http:// instead of https://), the malicious website happily stay in unsecure connection and there will be no visible warning for the user.


Another impact on the victims will occur when the malicious DNS server goes offline or is taken down. The attacker is attempting to modify both primary and secondary name servers with the same malicious server IP, meaning that when the malicious server is offline, all infected homes will fail to further resolve any hostnames and their internet will be virtually inaccessible until the users manually update their router settings or the ISP overrides the settings.

[You might also like: IoT Threats: Whose problem is it?]

Notifications and collaborations

The targeted banks have been notified as soon as we discovered the hijacking.

Radware worked closely with the Cloud Provider hosting the malicious DNS and web sites and is happy to report that since 1pm CEST the servers were taken offline.

How can users detect they were compromised?

Checking your mobile devices’, computers’ or routers’ primary and secondary DNS server settings in the IP configuration. Start with the router and in the most likely case of using DHCP on the router for devices inside the home, all devices will expose the malicious server IP as primary and secondary DNS server.

A convenient way for checking DNS servers used by your devices and router is through websites like ‘’.

What should infected users do?

Only modems and routers that were not updated in the last two years can be exploited. An update from time to time wouldn’t hurt. It will not only protect the owner of the device but also prevent devices from being enslaved for devastating DDoS attacks or used to conceal targeted attacks.

All modern browsers clearly indicate an issue with the certificate of the fake website when using secure connections. These warnings should never be ignored and exception pop-ups should not be approved without further consideration or investigation. When facing such situation, users should be urged to contact the helpdesk of the organization they were trying to access.

Concluding remarks

We’ve witnessed consumer IoT devices being enslaved in botnets devised to perform devastating DDoS attacks, mine cryptocurrency, provide anonymizing proxy services to conceal attacks and collect confidential information. Most of the activities related to IoT malware victimizing consumers’ IoT devices are not directed at the device owners. Owners are mostly unaware or they don’t care as long as the primary function of the device is not compromised. BrickerBot was the first exception, forcing users to care by bricking their devices if they didn’t and got infected with IoT malware.

This new attack which targets the IoT device owner, attempting to obtain their sensitive data is another reason for consumers to care about the state of their devices and ensure best practices are met while buying from vendors that meet and demonstrate secure standards in the development of their devices.

While this particular attack was using a two-year-old exploit, most exploits on IoT devices witnessed in the past year have been abusing remote command executions in the context of a user with administrative rights. If is not too far-fetched to image a malicious agent crafting a similar hijacking attack using command-line scripts embedded in the RCE exploit URLs.

Read “Consumer Sentiments: Cybersecurity, Personal Data and The Impact on Customer Loyalty” to learn more.

Download Now

Previous articleCan SNMP (Still) Be Used to Detect DDoS Attacks?
Next articleMalicious Cryptocurrency Mining: The Road Ahead
As the Director, Threat Intelligence for Radware, Pascal helps execute the company's thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, did extensive research on Hajime and follows closely new developments of threats in the IoT space and the applications of AI in cyber security and hacking. Prior to Radware, Pascal was a consulting engineer for Juniper working with the largest EMEA cloud and service providers on their SDN/NFV and data center automation strategies. As an independent consultant, Pascal got skilled in several programming languages and designed industrial sensor networks, automated and developed PLC systems, and lead security infrastructure and software auditing projects. At the start of his career, he was a support engineer for IBM's Parallel System Support Program on AIX and a regular teacher and presenter at global IBM conferences on the topics of AIX kernel development and Perl scripting.


  1. […] Os atacantes introduziram as configurações do seu próprio servidor DNS malicioso. Quando as vítimas tentam navegar para um site bancário legítimo, elas acabam em um site de phishing, embora o URL pareça ser o mesmo. A Radware observou um esquema que visava o Banco de Brasil. “O servidor DNS mal-intencionado criado pelos hackers torna-se um man-in-the-middle eficaz que fornece ao agente malicioso a flexibilidade de exibir portais e paginas clonadas para coletar informações confidenciais de usuários cujos roteadores foram infectados“, escreve Pascal Geenens, que é o evangelista cibernético da Radware na EMEA, em um post no blog. […]

  2. Once everything is place you will bbe ready to sttart earnijng from a blog.
    Many individuals who are rrsearching ways to save money have realized
    out exactly how easy it really is if you buy generic.
    Writing blog articles could be a way for you to channel knowing
    aboyt it and crteativity using the world.

  3. Stick with your work, or find another and marketing strattegy to change the free classified strategy.

    The readers of this blog are obviously considering the overall field of know-how of the blog.
    Thhis is a gesture of good will in hopes that other bloggers will do tthe identical.

  4. Da nach einiger Zeit die Reinigungswirkung nachlässt, müssen die Aktivkohlefilter regelmäßig durch neue ersetzt werden. Wer lieber keine Folgekosten durch das Nachkaufen der Filter haben möchte, sollte zum Lucky Kitty Trinkbrunnen aus Keramik greifen, denn hier wird keiner benötigt.

  5. Check out blog with useful information about Hackings:, we’ve benefited from this caring group of people, who specializes in legal hackings and they have a moral obligation to assist those who are suffering from poverty, debt, famine, and disease. They don’t request money upfront. They are the best

  6. […] Haphazardly connecting both essential and mundane devices to the internet comes with inherent risks. In July, the FDA recalled select Medtronic MiniMed insulin pumps due to potential cybersecurity risks, affecting an estimated 4,000 users. An infamous 2016 distributed denial of service (DDoS) attack used malware known as a “botnet” to overload the servers of IoT devices to knock major websites offline including Netflix, Spotify and Amazon, with damages estimated at $100 million. This is just the start of security concerns with IoT devices. Hackers may take more drastic measures to weaponize smart devices, such as dropping home thermostats during winter months, taking control of and crashing self-driving cars, or even inflicting substantial financial and private data losses for customers at financial institutions. […]

  7. Pleas let me recognize if you’re searching for a goood author for
    your web site. You may have some greeat articles, and I think I might be
    a good resource. If you happen to want to consider some
    of the insert off, I’d like in order to write some material intended
    foor your blog in change for the link back in order to
    mine. Pleade shoot us an email if serious. Thanks.

  8. Купим складские остатки:
    УКП-66 цвет Белый (BLNDA000011) 1450руб.
    УКП-66 цвет Молоко (BLNDA000012) 1500руб.
    УКП-66 цвет Бежевый (BLNDA000017) 2000руб.
    УКП-66 Алюминий, Титан, Антрацие (BLNDA000013, BLNDA000014, BLNDA000016) 2450руб.


Please enter your comment!
Please enter your name here