How millions of DSL modems were hacked in Brazil, to pay for Rio prostitutes

How millions of DSL modems were hacked in Brazil, to pay for Rio prostitutes

So, you think you’re doing a pretty good job in terms of computer security on your home PC? You’ve kept your computer fully patched against the latest vulnerabilities? You’ve ensured that your PC is running the latest-and-greatest anti-virus updates?

Good for you.

Now, how about your router?

My suspicion is that the typical computer user doesn’t give a second thought about whether their router could be harbouring a security threat, imagining that the devices don’t need to be treated with suspicion.

But if you think that, you’re quite wrong.

Fabio AssoliniFabio Assolini, a researcher for Kaspersky Labs, gave a fascinating presentation at the Virus Bulletin conference in Dallas last week, describing how more than 4.5 million home DSL routers in Brazil were found to have been silently hacked by cybercriminals last year.

Assolini described in his presentation, entitled “The tale of 1001 ADSL modems: Network devices in the sights of cybercriminals”, how at some Brazilian ISPs, more than 50% of users were reported to have been affected by the attack.

Here’s how the attack came about.

You’re on Google’s website, but you’re not on Google’s website

The first thing users may have noticed is that they would visit legitimate websites such as Google, Facebook and Orkut (a Google social network which is particularly popular in Brazil) and would be prompted to install software.

In the example below, visitors to Google.com.br were invited to install a program called “Google Defence” in order to access the “new Google”.

Malicious Google redirection

Note – google.com.br is the correct web address for the Brazilian edition of Google, and Google’s Brazilian website had not been compromised or hacked to make available a malicious download.

And yet, “Google Defence Para” had nothing whatsoever to do with Google, and was being distributed without the search engine giant’s blessing.

How was this possible?

Exploited routers using malicious DNS servers

The answer is that the user’s ADSL modem had been compromised, and the hackers had changed the router’s configuration to point to a malicious DNS (domain name server). This meant that when the user entered the web address of a legitimate website (like google.com.br or facebook.com) they could be taken to a dangerous website instead, posing as the real thing.

Cybercriminals had managed to access vulnerable modems remotely via the net.

Vulnerable modem's admin panel, accessed remotely

Now, normally if you access a router via the internet you will be asked for a username and password – and so long as the user has chosen hard to guess login credentials (and not gone with manufacturer’s defaults) all should be well.

Unfortunately, in this case, the hackers were able to exploit a vulnerability in the Broadcom chip included in some routers. Assolini explained that “the flaw allows a Cross Site Request Forgery (CSRF) to be performed in the administration panel of the ADSL modem, capturing the password set on the device and allowing the attacker to make changes, usually in the DNS servers.”

Router exploit

In short, the exploit allowed malicious hackers to break into millions of routers remotely, without having to know the passwords being used to protect them.

And once there, the hackers were able to change the ADSL modem’s DNS settings – pointing them to one of 40 malicious DNS servers around the world.

DNS settings

The end result is that many Brazilian users downloaded code, mistakenly believing they were from websites they trusted, including:

  • br.msn.com/ChromeSetup.exe
  • facebook.com.br/ChromeSetup.exe
  • facebook.com/ChromeSetup.exe
  • facebook.com.br/Activex_Components.exe
  • and many more..

In some cases, the attackers didn’t even have to use such social engineering to trick users into installing the software – exploiting Java vulnerabilities to plant malicious code onto victims’s computers as what should have been trustworthy websites were visited.

Ironically, if users contacted their anti-virus vendor’s tech support line and asked them about the safety of files like facebook.com/ChromeSetup.exe, chances are that the support technician would not be able to locate the file themselves because their own computers were not running through malicious DNS servers.

And, of course, affected users would often be adamant that they had done nothing wrong – certain that their computers were fully updated with patches and anti-virus. But, of course, that didn’t stop the remote attack on their router.

Router. Image from Shutterstock

Furthermore, the problem was not just limited to home users. According to Assolini, routers designed for the SOHO market are more commonly encountered than you might imagine on corporate networks, not just in Brazil but worldwide.

Sign up to our free newsletter.
Security news, advice, and tips.

Eventually it was discovered that the common denominator between affected computers was that they were all using routers made by one of six different hardware manufacturers.

Fixing the problem, however, was not so easy. The automated remote hacks of millions of ADSL modems had not just changed the devices’ DNS settings – they had also changed the password to access the device to phrases like “dn5ch4ng3” and “cg4ng3dn5”, meaning that users could no longer get in via their admin panels. If only they had known the exploit too..

Hackers reap rewards, and spend it on Rio prostitutes

Rio. Image from ShutterstockThe motivation for the attack, which impacted millions of Brazilian users, was – of course – money.

Malware installed onto victims’ computers could steal files and keypresses, trick users into entering sensitive information on convincing phishing pages, spy upon passwords and banking information, and provide a flood of data for the hackers to exploit.

Interestingly, in his presentation, Assolini presented an IRC chat between some of the hackers involved in the DNS caper.

IRC chat

One of them described how another hacker earned more than 100,000 Reais (approximately $50,000) and would spend his ill-gotten gains on trips to Rio de Janeiro in the company of prostitutes.

Reasons why routers can be exposed to security threats

So, why is it that routers are seemingly so vulnerable? It turns out there are a few possible explanations.

Poor patching. Despite exploits against a wide range of network devices, modems and routers being publicly available on the internet – some manufacturers have chosen to largely ignore the problem.

That means that even if you want to patch your DSL router against a known security vulnerability, a fix may not be available for you.

Default passwords. In some cases, a vulnerability may not even be needed. For instance, if a device uses a known default password, a malicious hacker does not have to go to any effort to bypass the device’s authentication.

Website providing default router passwords

Lack of user awareness. Users of network devices may not be aware that it is necessary to keep them up-to-date with security patches, or that patches are available.

Non-standard update model. The method by which devices are updated can vary from manufacturer to manufacturer, making it more complex for the user.

“Massive attacks are real and here to stay”

Fabio Assolini says that there are number of groups who could carry a proportion of the blame, aside from the hackers themselves.

According to Assolini, security researchers need to be more proactive in reporting flaws related to routers, ADSL modems and other network devices to prevent them from being exploited by malicious hackers. And, of course, the manufacturers have to be responsive.

ISPs are guilty too, says the Kaspersky analyst. He says that it is common for Brazilian ISPs to lend their customers old and vulnerable network devices, and that this is probably happening in other parts of the world too.

And, says the security researcher, governments may not be doing enough. Assolini claims that ANATEL, Brazil’s national agency for telecommunications, approves internet hardware before it can be sold, but it does not verify the security of devices – only standard functionality.

Many thanks to Fabio for a great and thought-provoking presentation. You can read his full paper here.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.