Thursday, January 21, 2016

Attacks via Internet Dating sites

I can't really say I'm surprised at this:
At least five dating websites may be involved in an attack scenario that is spreading a worm to site visitors, infecting their home router and adding it to a botnet.
The worm is a variant of TheMoon, which was first discovered in February 2014, and works by taking advantages of weaknesses in the HNAP (Home Network Administration Protocol) protocol.
Attackers are using one-night stand dating sites to spread the worm. On each malicious website, the infection occurs via a two-step phase launched via a malicious iframe embedded on the page.
The iframe works by making different URL calls to see if the router runs the HNAP protocol and if it uses the 192.168.0.1 and 192.168.1.1 for router management and as gateway IPs.
It then calls home, informing its creators of its findings. Here is where the second attack stage happens, and where a second URL is loaded in the iframe, which delivers the actual worm, a Linux ELF binary.
What's interesting here is that the target isn't the computer, it's the home router.  Needless to say, it's a Bad Day when someone owns your home router.

It seems that the web sites were stood up using a stolen identity, so there are multiple layers of security fail involved.  If Online Dating is your bag, Baby, it's probably best to stick to a name brand site.  Err, not Ashley Madison, though.

3 comments:

bluesun said...

Well, my fiancee and I met the old fashioned way, with nagging mothers.

Borepatch said...

bluesun, LOL

TOTWTYTR said...

So, is this a sexually transmitted disease?