clock menu more-arrow no yes

Filed under:

This router hack is injecting ads and porn into random websites

New, 13 comments

A new strain of malware is using routers to inject ads and pornography into websites, according to a report from Ara Labs. Once a router is compromised, the malware will load third-party content onto almost any website visited by the user. The attack alternates between loading ads and directly loading content from pornographic websites like adultyum.info and adultcameras.info. In both cases, it's functioning as a basic adware attack, redirecting targets as a pay of generating paid traffic for a client.

There's no indication of specific routers affected, but there's a wealth of previously reported router vulnerabilities that could be used to spread the attack. The group is also diligent about covering its tracks once a device has been compromised. "Due to the nature of this scheme, there is no technology that is going to detect this automatically," Ara said in a statement.

"There is no technology that is going to detect this automatically."

The attack works by targeting the DNS system, a kind of distributed phonebook that connects URLs (like "http://www.theverge.com") to IP addresses (like "192.5.151.191"). Since DNS information is typically communicated through the router, the attackers used the hacked routers to reroute requests to their own bogus IP addresses. When the target tried to connect to Google Analytics, the hacked router sent the request to the attackers' server, which answered the request by injecting its own content onto the pages in question. Because Google Analytics is so widely used, the attack was able to inject ads into almost any site on the web, including The Huffington Post and The New York Times.

The following video shows the clean, ad-based version of the attack. (Ara Labs described the other as "too graphic to publish.")

Routers are less powerful and harder to patch than computers, so they're typically much more vulnerable. That's made them a common target for hackers, who use them to launch denial of service attacks or spoof banking sites to steal login credentials. This attack is notable for intercepting traffic broadly and directly, rather than trying to spoof a specific site or spread the infection to the computer itself. Because the compromise is specific to the router, it won't be detected by traditional antivirus tools, which may lead many victims to assume the ads are legitimate.