Phishing and Cryptomining DNS Hijacking Activity Spikes in Brazil

• Avast says they are blocking thousands of DNS hijacking attempts in Brazil right now.
• The actors are targeting users of online banking services as well as Netflix users.
• Mostly, it’s all about phishing, but ad pushing and crypto mining are also involved in some cases.

Avast warns of ongoing malicious campaigns that involve millions of DNS hijacking attempts that are taking place in Brazil right now. The security company claims that they have blocked more than 4.6 million attempts to send their customers to phishing websites since January, and the problem is showing no signs of easing off. The main way that the attackers use in order to achieve their goal is CSRF (cross-site request forgery), which involves the modification of the victim's router settings and the changing of the default DNS (domain name system) to redirect the user to a phishing website.

As we saw back in April, DNS hijackers exploit known router flaws and vulnerabilities to conduct “domain parking” and “silent phishing”. In this case, it is the latter that interests the attackers, so they are redirecting unbeknownst victims to their phishing/fake websites. For example, a victim could visit an online banking platform from their browser, but end up on a phishing login webpage that will steal their login credentials. Due to the way the redirection takes place, the victim will never realize what happened until it’s too late. The Brazilian campaigns are using Netflix and large local banks for their phishing, either for direct exploitation or for selling this data on darknet forums.

The online platforms that were targeted the most according to Avast are the following:

• Santander (24%)
• Bradesco (19%)
• Banco do Brasil (13%)
• Itau BBA (13%)
• Netflix (11%)
• Caixa (10%)
• Serasa Experian (10%)

Apart from the phishing though, the attackers are also indulging in ad serving, hijacking the Outbrain platform and integrating the ads to the landing pages, generating revenue or tricking the victims into downloading more malware samples onto their machine. Cryptomining scripts embedded onto the landing pages are not out of the question either, as Avast confirms that they have seen this as well, although at a limited extent.

People from Brazil who need to login to their online banking platform or Netflix should be very cautious when doing so, checking for the page’s certificate, the existence of the padlock in the URL bar, and the “https” protocol. Moreover, router firmware updates should not be neglected as this is the door that opens the way to DNS hijacking actors in the first place. If you’re unsure about whether your router has been compromised, check your router's settings and ensure that the DNS server is the expected one.

Do you live in Brazil? Have you had an adverse experience relating to the above? Share the details with us in the comments down below, and help us spread the word of warning to more people by sharing this story through our socials, on Facebook and Twitter.