Router DNS attack injects ads when visiting websites with Google Analytics

Security researchers discovered a new type of router attack that injects ads on websites. In layman's terms, the attack works by hacking vulnerable routers to misdirect queries to poisoned DNS servers. Security firm Ara Labs notes the unique thing about this new attack is the use of Google Analytics as an attack vector.

When the router malware detects a query to Google's Analytics service, it spoofs the request by redirecting it to a rogue server instead of the legitimate Google server. Quite a lot of sites run Google Analytics so for attackers it's a very easy to approach to impact countless websites with minimal effort. When an infected router visits one of these sites, it will not pull the Google Analytics script but will instead serve ads or even porn.

The peculiar aspect of this attack is that it's hard to detect. Running a malware scan on your PC will detect nothing because there's nothing wrong on your computer. Few people know routers can be infected and even then it's probably the last place they'll look.

The malicious JavaScript has been detected injecting ads for various games as well as hardcore pornography. It’s a significant issue for multiple reasons — not only is it built off one of the most common analysis platforms around, it breaks style formatting at the “host” websites and injects ads and overlays that appear, to the end-user, to be officially sanctioned by the site in question. No amount of system reformatting or malware scans will find the error, since the problem is embedded in the router.

Source: at ExtremeTech