7

Summary:

When I visit my bank's website, I get forwarded to a phishing mirror site.

  • This has persisted through a re-format of my MacBook.
  • Even on different browsers!
  • Other computers on the same network do not have this problem, so I don't think it's the router.
  • Visiting my bank site through a VPN works fine so it doesn't seem like a virus either.

What could be going on here?

Full Story:

A few weeks ago my bank account was hacked. I had typed in the url to my bank's website and was forwarded to a mirror site without noticing, where I stupidly put in my account details. This was using Chrome on an MackBook Pro. I went to the bank to lodge a fraud claim and they said it must be my computer because nobody else has reported this problem.

I formatted my laptop by following these instructions: http://smallbusiness.chron.com/reformat-macbook-53599.html

I went back to the bank's website and was still forwarded to the mirror site! (Now that I'm looking for it, I can tell because the url is slightly different and not https). So I tried on different browsers, because I remembered that in the past this bank used digital certificates, so maybe there is one saved in my chrome settings somewhere that has been compromised. (I tried anonymous browsing, plus Safari, and even downloaded and tried Epic browser) and still I get forwarded to the false site!

On my brother-in-law's laptop on the same router/LAN, it goes to the proper bank website with no forwarding.

But if I visit the website through a VPN, it doesn't forward me to the false site! What the heck?? Is there a virus on my computer? Surely if it was local, the VPN would make no difference? But if it was at the bank's end, then it wouldn't be happening to just me! I'm confused and worried about my online security now. Can anybody shed any light on what might be going on here?

UPDATE:

First thing I did was ping the bank's URL from ping.eu and it returned an address that starts 186... When I copy this IP into my URL bar, it says "the site can't be reached. [IP Address] took too long to respond"

Then I pinged the same URL from "network utility" on my macbook, and it returned a different IP address! When I copied this one into my URL bar, I got a chrome page saying "Security error! Deceptive site ahead".

My dns server is listed as 192.168.0.1 - totally normal right? So it's the router? But my B-I-L's laptop doesn't have the issue? What does this mean?? And what should I do??

Another update:

After the help you guys gave me on router and dns problems I googled "how to detect mitm attack". I checked the dns settings on the router, and it has the "use these dns servers" box ticked, with two random IP addresses filled in. I unticked the box, went to my bank's website and voila! No phishing site.

So they hacked my router? I didn't even know that was possible, but now that I think about it, it is remotely accessible on the LAN and the username/password is the manufacturer default. Will a hard reset of the router and then changing the username/password be sufficient now?

Another question is, how did they gain access to my router in the first place? Should my BIL also format his laptop in case it was a virus?

tom
  • 3
  • 2
Tom
  • 71
  • 1
  • 1
    Since your question is kinda long and hard to skim, I added a summary at the top. Feel free to [edit](https://security.stackexchange.com/posts/119672/edit) if I didn't capture the question quite right. – Mike Ounsworth Apr 06 '16 at 16:39
  • 1
    Did you restore any data from backup or is this a complete reinstall of the OS with all data fresh and nothing from backup? Are there any synchronizations done with other systems (like synchronize browser extensions etc)? – Steffen Ullrich Apr 06 '16 at 16:46
  • If you don't get to the bottom of why Chrome redirected you to the site, who knows if it could come right back. Just for thoroughness did you try resetting everything on your router? Also did you inspect your network settings and/or fetch known good ones when you reset everything on your laptop? one possible explanation as to why using a VPN stops it, is a DNS attack which would be mitigated if you used a VPN that overrided your local DNS settings. – Jeff Meden Apr 06 '16 at 16:56
  • Sorry for junking up your comments but I don't want to give you false hope by calling this an answer: one other explanation is that both your BIL's laptop and your vpn use external DNS, and your laptop in default uses the router's dns, again pointing to a router issue. – Jeff Meden Apr 06 '16 at 17:03
  • 1
    Are you connecting to your network via wireless or wired? If it's wireless, make sure there's no duplicate of your network broadcasting. – WorseDoughnut Apr 06 '16 at 17:05
  • Define forwarding- is it a URL redirect or DNS spoofing? – multithr3at3d Apr 06 '16 at 17:08
  • Also it goes without saying; since you entered your credentials into the phishing site, you should make sure to get in contact with your bank about disallowing any transactions until your are certain your credentials have been changed significantly. – WorseDoughnut Apr 06 '16 at 17:11
  • @Tom, can you open your modem configuration page and check which DNS IP are setted? –  Apr 06 '16 at 17:50
  • According to the latest update, yes your modem has been hacked. If you used default user and password (es. admin/admin) it was very easy to login into configuration page and change your DNS to a fake ones. You just need to change the default user and password, but if you want to be more secure, reset your modem to default configuration and change them –  Apr 07 '16 at 09:11
  • @Tom I would go with Cricco95's suggestion, but this is a best practice for routers. Always change the default login by changing the password, and it doesn't hurt to change the username if possible (not needed). This is also why you lock down your wifi with a password, because you want to prevent people from accessing your router and/or network. If you changed the admin login, then it's possible they used a vulnerability in the router. The only way to fix the vulnerability is to update the router's firmware, which you want to check the manufacturer's website for that. – dakre18 Apr 07 '16 at 15:21

4 Answers4

4

One common attack method consistent with your symptoms is DNS Hijacking, which is any means that an attacker uses to convince your computer that your bank's web site, "www.mybank.com" is actually at an IP which is a server under their control instead of the IP under your bank's control. When you type this into any browser, it heads for the malicious server which then shows you a page much like your bank's own page, expecting you to log in without knowing the difference.

A compromised router could cause your DNS requests to all flow through it and therefore be replaced by malicious IPs when they are returned, while using a VPN would bypass it and show you the correct site. Also, another device on your network might not use the local router as its DNS server which could also cause it to not fall for the same router based attack.

To tell if its a DNS issue, from the affected computer try to ping the basic hostname (first part of URL) for your bank, see what IP comes back. Then check that IPs ownership on a site like arin.net, if its not owned by your bank or by a reputable CDN provider, boom you know you have a DNS highjack going on.

You can also test it by pasting the found IP into your browser bar and see what happens, but since your browser might show you a page that looks just like your bank's site, it is not conclusive unless you thoroughly look through the TLS certificate info to ensure it really is your bank. Another possible outcome is it will flag the new site as malicious (if it tries something like showing you a TLS encrypted page with an invalid certificate) but that is also not guaranteed to happen.

Edit: more about router compromises

The attacker has a few possible ways to coerce your router to doing something you don't want: they can simply log in remotely which is especially easy if the router is exposed to the internet (many are) and the credentials are the default (many are). Both of these should be avoided at all times. Some routers have had firmware exploits that allow an attacker to bypass the password; updated firmware should be sought and applied on a frequent basis. Browser based exploits are also possible: a piece of malware in a site, an ad, etc. will go after default IP/credentials of your router, bypassing external access restrictions by using your own computer to do it, and then script a change like setting DNS servers to malicious ones.

Another simple mitigation to primitive router settings hijacking efforts like this is also to simply set your computer up to use a specific DNS host, like the venerable 8.8.8.8 (google's highly available anycast-based DNS server network) which is still possible to hijack if your router is 100% compromised and all port 53 UDP traffic is redirected, but more simple attacks like settings cannot do this so it would be effectively blocked.

Jeff Meden
  • 3,966
  • 13
  • 16
  • That would require the landing page or bookmark to be non-ssl to avoid certificate errors which the OP has not mentioned. Surely the bank doesn't do that? – symcbean Apr 06 '16 at 22:51
  • @symcbean since he apparently didn't notice the first issue before it was too late I wasn't going to suggest it would be trivial to tell it's happening a second time. True, if the scam site tries to use the same URL/hostname there will be a cert error, but it doesn't have to: it can redirect to a URL that's totally different. It's a "Kansas city shuffle". They use a cert with their hostname, which the browser likes (the bar is still green), and then bake the bank's hostname into the URL somewhere, when the user glances at it they think it's legit, but it's not. – Jeff Meden Apr 07 '16 at 13:01
2

Seems to be a Man In The Middle attack with DNS spoofing. I suggest to perform a ping from an online service like this and check the IP address of the site. Then type it into your browser URL bar and check if you get redirect to the false website.

  • 1
    You're better off pinging from your own machine to see if there are additional hops on you LAN I.e. a MitM. – multithr3at3d Apr 06 '16 at 17:08
  • To tell if its a DNS issue, from the affected computer try to ping the basic hostname (first part of URL) for your bank, see what IP comes back. Then check that IPs ownership on a site like https://www.arin.net/, if its not owned by your bank or by a reputable CDN provider, boom you know you have a DNS mitm. – Jeff Meden Apr 06 '16 at 17:11
  • Yes, you can use Jeff solution too. I'm pretty sure it is a DNS problem. Also you can check your ARP cache and see if the gateway IP it's the real one (es. 192.168.1.1) or it is strange. If it's not the real one there is a MITM attack in progress –  Apr 06 '16 at 17:15
  • @Cricco95 To expand on that the ARP cache only holds IP/mac relationships, so you would need to compare the mac it shows for the gateway, with the mac on your router. Also it could be a purely DNS mitm via a compromise in the router, which wouldn't cause anything strange to show up in ARP table. – Jeff Meden Apr 06 '16 at 17:39
  • He said that only his device is affected with this problem, if the modem is compromised then all devices connected to his gateway should be redirected to the fake website, isn't it? –  Apr 06 '16 at 17:46
2

So they hacked my router? I didn't even know that was possible, but now that I think about it, it is remotely accessible on the LAN and the username/password is the manufacturer default. Will a hard reset of the router and then changing the username/password be sufficient now?

  1. Download the newest firmware for your router to a computer. Scan for malware.
  2. Disconnect the router from all network devices except the computer containing the firmware update. If your router supports updating firmware from a USB device, this is even better (as you can disconnect all network devices).
  3. Reset router to factory defaults.
  4. Update the firmware and change the password for admin/root account (and change the account name as well, if possible).
  5. Input your network settings again and reconnect all network devices.

Another question is, how did they gain access to my router in the first place? Should my BIL also format his laptop in case it was a virus?

There are many possible attack vectors, but most likely is an external attacker that used a known vulnerability in the router's firmware. Patching the firmware should hopefully fix any such vulnerabilities. If this is the case, I also find it less likely that computer malware was responsible for this... but it's better to err on the safe side. You should do malware scans of all applicable network devices.

If the router has any setting indicating the possibility of logging in to or managing the router from an external address (WAN-side), this setting should always be disabled unless you have very specific needs for this and know how to protect against unauthorized access.

Vegard
  • 243
  • 1
  • 6
1

This is a suggestion to try to narrow down where the issue may lie. In Chrome, I suggest opening an incognito window, then opening the developer tools. Switch to the the network tab. Type in the correct URL in Chrome and hit enter. If the request in the network tab has the wrong URL, then something on your computer is changing the URL (maybe a bad add-on that is being automatically installed on various browsers?). If you get a 302 back, then the problem is not on your machine. In that case a something is returning a malicious response. This may help you focus your research effort.

md_1976
  • 129
  • 2