It’s difficult enough for traditional media such as newspapers to attract and keep readers, but the next time Política Estadão tries to boost its circulation, it may face uncomfortable questions about how it will protect its subscribers’ home routers from hackers.

According to a blog post from Fioravante Souza, a researcher with website security firm Sucuri, visitors to the Brazilian newspaper’s website were recently confronted with a series of iFrames that were loaded on the home page. These iFrames would then run a script that would attempt to identify users’ IP addresses, then guess the most common default passwords to change the configurations of their DSL home router.

Attacks on Home Routers Not Uncommon

This incident with Política Estadão is not the first of its kind. In fact, on Sept. 2, Fabio Assolini, senior security researcher for Kaspersky Labs, provided a detailed report on a similar series of attacks. In this case, hackers used emails that tricked consumers into clicking on a link that took them to websites resembling those of Brazilian banks. The sites ran scripts that attempted to change Domain Name System home router settings and access financial credentials. Assolini wrote that he expects this approach to spread quickly in Brazil as the number of victims increases.

An analysis of the Política Estadão attack on ThreatPost points out that iFrames are by no means a new form of attack vector and that home routers in particular are often targeted due to perceived weak security settings. For example, these devices may not be patched as often as similar equipment in the enterprise. What’s worse, the increasing number of devices that may be accessing the Internet to provide more advanced services in so-called “smart homes” might only serve to exacerbate the problem. The MIT Technology Review recently looked at the vulnerabilities around IP-connected TVs, printers and remote storage devices, among other possibilities.

Security Practices Vital

Fortunately, consumers don’t have to do much to avoid the most dire consequences of these attacks. While eWEEK showed research as far back as 2008 that home routers could be open to hackers, the potential fixes include developing passwords stronger than simply “admin,” disabling JavaScript and/or play options in browser settings and, of course, never clicking on suspicious links in emails or on websites. Script blockers such as NoScript and NotScripts may also be worth considering.

Who’s Worried About Home Network Security?

Given how much corporate work gets done at home, it may be time for chief security officers to ensure employees are well-educated on these types of security practices. Organizations such as Política Estadão could also take on a security-based mission as an act of public-service journalism. After all, people expect to get bad news in the newspaper sometimes, but no one wants to end up being part of this kind of story.


Image source: Wikimedia Commons

More from

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…