141

I went online on my Macbook today and noticed my iTunes complaining that it couldn't connect to Apple, I tried logging out and in of my account but weirdly it said it couldn't log in; I didn't think much of it at first as I thought maybe it was iTunes just being more buggy than usual.

However then I noticed something really weird, when I tried to visit www.apple.com my browser warned me (Google Chrome) saying this website was not secure. This started ringing alarm bells in my mind, I clicked "Continue Anyway" and was greeted with this page:

Apple Phishing

Being (somewhat of) a web designer/developer I pay attention to the little details on a website and I knew instantly this was not what the Apple homepage looks like, and they certainly didn't prompt you to login on their homepage. I dug in a little deeper to the source code for the page and could see that the source code was way too simplified for a large corporation; the only piece of JS was to verify that the email address was in the right format.

I began to suspect maybe my Mac machine had been infected, so I switched to my iPhone (on the same WiFi network), tried www.apple.com, and got shown the exact same page. To me this sounded like something to do with DNS as the chances that both my devices were infected were very unlikely. I then turned to my router to have a look at its settings.

Lo and behold, when digging into the DNS settings I could see that the settings looked a little odd. I had initially set my DNS settings to use Google's servers, although this was set many years ago I knew the were something along the lines of 8.8.*.*.

In my settings however I found the following IP's:

Primary: 185.183.96.174
Secondary: 8.8.8.8

I knew straight away that the DNS had been changed, the primary address should have been 8.8.4.4. No one has access to my router administration page aside from me on the network, and I have disabled access to the router outside of the local network I can see outside access was enabled, on initial setup this was definitely switched off.

My question is: "How could the DNS have been changed/What can I do to prevent this from happening again?

I try to keep my router firmware up to date (although I was maybe 1 release behind at the time of this post).

More about the phishing site:

Before I changed the Primary DNS setting back and I wanted to find out more about this phishing site, so I ran ping apple.com to find the IP address was 185.82.200.152.

When I entered this into a browser I could see that the person had created a number of sites to try and capture logins. I suspect they're based in the US; I don't believe Walmart operates outside of the states (at least not in the UK). I have reported the IP to the Dubai based web host and am waiting for a response.

Edit (Router details): Asus AC87U, FW Version 3.0.0.4.380.7743 (1 release behind)
I did not have the default passwords set.

Second update:
Host has suspended the account.

phishing server directories

Monty Harder
  • 476
  • 3
  • 6
Imran
  • 1,015
  • 2
  • 8
  • 9
  • 53
    This is not DNS spoofing or browser hijacking. The DNS entry in your router was changed. This is as straight up as it can be. The only question is how the DNS entry got changed. – schroeder Mar 11 '18 at 23:49
  • 5
    Do you have the default admin password set on your router? – schroeder Mar 11 '18 at 23:50
  • 1
    I have updated my post, it looks like the outside WAN connections was turned on. I changed the default username and password for the router. – Imran Mar 11 '18 at 23:55
  • What kind of router do you use, what's the firmware version? Did you check DNS settings inside your router? – Mirsad Mar 12 '18 at 00:02
  • @Mirsad I have an Asus AC87U, FW Version 3.0.0.4.380.7743 (1 release behind). The DNS settings I'm referring to above were the settings founf in my router. – Imran Mar 12 '18 at 00:07
  • 1
    You should also try to find out details about 185.82.200.152. That will provide more insight the person who changed these details. Though you might not get more details. – tech_enthusiast Mar 12 '18 at 00:21
  • re "the outside WAN connections was turned on [but i had changed the default password]": for any public facing ssh server... the default advice is to turn off password login... and only allow strong 4096+ bit private/public key. so maybe your new password was not strong enough and got cracked from repeated dictionary/brute-force attempts. – Trevor Boyd Smith Mar 12 '18 at 18:22
  • 4
    Just noting: In such case, you should not press Continue Anyway, unless you have an isolated profile (e.g., using private mode or separate user account). Proceeding can allow attacker to steal your cookies and poison your cache. If you haven't isolated it, I suggest deleting your browser cache and considering cookies on the site stolen. – v6ak Mar 12 '18 at 18:39
  • @TrevorBoydSmith SSH access on the router is off, for both WAN and LAN. – Imran Mar 13 '18 at 17:22
  • 2
    Notice the screen shot apple would never say copyright 2014 – JonH Mar 13 '18 at 22:37
  • 1
    As an aside: Walmart is Asda in the UK (yes, they're both the same company). – AStopher Mar 14 '18 at 00:06
  • *Third update*: have you changed your Apple ID password **ASAP**? – usr-local-ΕΨΗΕΛΩΝ Mar 14 '18 at 13:51
  • @cybermonkey and also Walmart in Germany (and other countries too) – Baldrickk Mar 15 '18 at 16:09

3 Answers3

126

Yes, your router's primary DNS entry was pointed to a rogue DNS server to make devices in your network resolve apple.com and other domains to phishing sites instead. The router possibly got compromised through an unpatched vulnerability in its firmware.

I have an Asus AC87U, FW Version 3.0.0.4.380.7743 (1 release behind).

Your release is over half a year old. The latest release 3.0.0.4.382.50010 (2018-01-25) comes with lots of security fixes, including RCE vulnerabilities which may have been exploited here.

Security fixed

  • Fixed KRACK vulnerability
  • Fixed CVE-2017-14491: DNS - 2 byte heap based overflow
  • Fixed CVE-2017-14492: DHCP - heap based overflow
  • Fixed CVE-2017-14493: DHCP - stack based overflow
  • Fixed CVE-2017-14494: DHCP - info leak
  • Fixed CVE-2017-14495: DNS - OOM DoS
  • Fixed CVE-2017-14496: DNS - DoS Integer underflow -Fixed CVE-2017-13704 : Bug collision
  • Fixed predictable session tokens(CVE-2017-15654), logged user IP validation(CVE-2017-15653), Logged-in information disclosure (special thanks for Blazej Adamczyk contribution)
  • Fixed web GUI authorization vulnerabilities.
  • Fixed AiCloud XSS vulnerabilities
  • Fixed XSS vulnerability. Thanks for Joaquim's contribution.
  • Fixed LAN RCE vulnerability. An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
  • Fixed remote code execution vulnerability. Thanks to David Maciejak of Fortinet's FortiGuard Labs
  • Fixed Smart Sync Stored XSS vulnerabilities. Thanks fo Guy Arazi's contribution. -Fixed CVE-2018-5721 Stack-based buffer overflow.

(Source)

Although Asus doesn't publish bug details, attackers may have independently discovered some of the vulnerabilities patched in that release. Diffing firmware releases to reverse-engineer what parts were patched is usually quite straightforward, even without access to the original source. (This is routinely done with Microsoft security updates.) Such "1-day exploits" are comparatively cheap to develop.

Also, this looks like it's part of a more wide-spread recent attack. This tweet from three days ago seems to describe an incident very similar to what you experienced:

My ASUS home router was apparently hacked and a rogue DNS server in Dubai added to the configuration. It redirected sites like http://apple.com to a phishing site that (I think) I caught before my children gave away their credentials. Check your routers kids.

(@harlanbarnes on Twitter, 2018-03-09)


[...] my browser warned me (Google Chrome) saying this website was not secure. [...] I began to suspect maybe my Mac machine had been infected [...]

The fact that you got certificate warnings makes it less likely that an attacker managed to get into your machine. Otherwise, they could have messed with your local certificate store or browser internals and wouldn't need to conduct a blatant DNS change.

No one has access to my router administration page aside from me on the network

Even if your router interface isn't visible from outside your network, it can be vulnerable to a range of attacks. As an example, take this Netgear router arbitrary code execution exploit from a while ago which had Netgear routers execute arbitrary commands sent as part of the URL.

The idea here is to trick you into visiting a prepared website that makes you conduct the attack yourself by issuing a specially crafted cross-origin request to the router interface. This could happen without you noticing and wouldn't require the interface to be remote accessible.

Ultimately, the given information doesn't reveal the exact attack path. But it's plausible that they leveraged vulnerabilities in your outdated firmware release. As an end user you should at least update your firmware as soon as possible, do factory resets if necessary, and keep your router interface password-protected even if it's only accessible from the intranet.

Arminius
  • 44,242
  • 14
  • 143
  • 138
  • 2
    Thank you for providing links, I can confirm this is the same attack as referenced in your twitter link (I have reported to the host). I think we won't really know for certain how they did it, but your suggestion that they may have reverse engineered the update is likely. – Imran Mar 12 '18 at 01:45
  • And _change your Apple password_ (as OP logged in to the dodgy site) – Lightness Races in Orbit Mar 13 '18 at 17:14
  • @LightnessRacesinOrbit never logged in on the website, only on the iTunes application. I have 2FA so I should be ok. – Imran Mar 13 '18 at 17:21
  • 2
    @Imran: You've literally given an attacker your username and password. There is no "should be ok" about it. Change your password. – Lightness Races in Orbit Mar 13 '18 at 17:22
  • @Imran Change that password everywhere you've used it. Even if - no, _especially_ if it's "your password" and you've had it for long enough to be fond of it. – wizzwizz4 Mar 13 '18 at 18:29
  • 3
    While I agree the PW should be changed to be on the safe side, it is not clear that Imran gave the attackers login credentials. They said they didn't enter the form on the site, just in iTunes. While I don't know how exactly that app performs authentication, it is likely that it uses https to connect to the iTunes servers. Since the login didn't work I guess the ssl handshake failed, this the request containing the credentials was never sent. I'm not a security expert, but I assume the handshake is performed before any data (like credentials) are transmitted, yes? But change it anyways! – Gero Mar 14 '18 at 08:25
21

It's obvious that someone changed DNS entries inside your router, probably using default credentials. You should go with factory reset, update your firmware, change default credentials and disable outside access to it.

And yes that DNS 185.183.96.174 is coming from hackers, still alive...

dig apple.com @185.183.96.174

This will return:

apple.com.      604800  IN  A   185.82.200.152

And all fake sites sits there hxxp://185.82.200.152/

Mirsad
  • 10,075
  • 8
  • 33
  • 54
6

One thing I would HIGHLY suggest in this case is trying to flash your router with something like DD-WRT (open source firmware). The DD-WRT forums list a beta build for your router. These builds are often far less susceptible to outside invasion like this, because they're built with best practices. Contrast with this long list of vulnerable ASUS routers (which list the problem you described).

40 models of the Asus RT line of home routers are affected by five vulnerabilities that allow an attacker to get ahold of the router password, change router settings without authentication, execute code, and exfiltrate router data.

On the upside, at least they were only after Apple credentials instead of eating up all your bandwidth

Another suggestion is to buy a router that can better patch itself. I bought an Amplifi a while back, and its touch screen notifies me when I have a firmware update (two taps and I'm patched).

Machavity
  • 3,808
  • 1
  • 14
  • 31