Avast has blocked more than 4.6 million attempts to send users to malicious sites so far this year in Brazil, part of a cybercrime ploy to hijack traffic away from websites that include Netflix and large banks.

The attacks, called cross-site request forgery (CSRF) attempts, are used by cybercriminals to carry out commands without the users’ knowledge. In this case the attacks silently modify the users’ Domain Name System (DNS) settings to redirect them from an authentic URL to an inauthentic website where they are hit with phishing and cryptomining attacks, or attacks via malicious ads. 

You can read more about the technical aspect of the attacks and Avast’s threat labs research into them on the new Decoded tech blog. 

DNS hijacking leading to phishing attacks

A router CSRF attack is typically initiated when the user visits a compromised website with malicious advertising (malvertising), which is served using third-party ad networks to the site. Avast frequently observes malvertising infections on local Brazilian websites that host adult content, illegal movies or sports content. Just by visiting a compromised site, the victim is redirected to a malicious page where their router is automatically attacked without user interaction. Malware then guesses routers’ passwords, which new research from Avast shows are often weak. In some cases the router is reconfigured to use rogue DNS servers, which redirect victims to phishing pages that closely look like real online banking sites. Most recently, Netflix became a popular domain for DNS hijackers.

Avast data shows that websites belonging to the following organizations active in Brazil are hijacked most often:

• Santander (24%)
• Bradesco (19%)
• Banco do Brasil (13%)
• Itau BBA (13%)
• Netflix (11%)
• Caixa (10%)
• Serasa Experian (10%)

“The affected institutions are targeted as they are popular in their countries, and the problem is that there is little they can do to avoid falling victim, apart from alerting their customers, as the phishing sites are outside their domains,” said David Jursa, a threat intelligence analyst at Avast. 

Malicious ads and cryptomining attacks

Aside from phishing, cybercriminals use DNS hijacking to replace legitimate ads with malicious ads. For example, cybercriminals can hijack ad platforms, such as Outbrain, which can be integrated into websites to serve ads to website visitors. If the ad platform’s server address is hijacked on the users’ router, the user will see malicious ads, for example, to trick them into downloading more malware or to direct them to unsolicited websites with illegal content.

Avast threat researchers have also seen cybercriminals use DNS hijacking to push malicious cryptomining scripts to users’ browsers, so users’ machines will be abused to mine crypto coins, which can lead to high energy bills and a shortened life cycle of devices.

Staying protected

Jursa urged consumers to scrutinize web pages and protect their home networks. “Users should be careful when visiting their bank’s or Netflix’s website, and make sure the page has a valid certificate, by checking for the padlock in the browser URL bar. Additionally, users should frequently update their router’s firmware to the latest version, and set up their router’s login credentials with a strong password.” 

Find out whether your router is infected by using the Avast Wi-Fi Inspector feature, which is part of Avast Free Antivirus and all of Avast’s paid consumer antivirus versions, which also includes Avast Web Shield, a core shield that protects users from CSRF attacks.