Home and Small-Office Routers Redirect Users to Phishing Websites That Exploit COVID-19

DNS Hijacking Attacks Exploit COVID-19 Fears

Many people in the 199 countries that are hit by the COVID-19 pandemic are staying at home and are trying to make the most out of what is a woeful situation. Whether they're working or doing something else, a large part of the days is likely spent online for most of them, which means that their home Wi-Fi routers are forced to work overtime. Meanwhile, it would appear that hackers have set about teaching us how vulnerable these devices can be.

Hackers launch DNS hijacking attacks at home users

Security researchers from Bitdefender recently noticed an uptick in the number of attacks against home Wi-Fi routers. Most of the victims are situated in the US, Germany, France, and the Netherlands, and they primarily seem to use gear manufactured by Linksys. It's not completely clear how the hackers compromise the routers, but evidence suggests that they are brute-forcing their way in either through the devices' remote management system or through the victim's Linksys cloud accounts. The goal is to perform a DNS hijacking attack, which ultimately allows them to trick the user into installing malware on their computer.

DNS hijacking has plenty in common with the traditional phishing scam. The user lands on a page that is designed to look like a legitimate service but is actually controlled by the hackers. Once they're there, victims are either tricked into giving away their login credentials or are forced into installing malware. The main difference between phishing and DNS hijacking is that during the latter, the user has no visual indication of what's going on.

DNS is the system that connects the domain name you enter into your address bar to the IP that is hosting the content you want to view. By changing the router's DNS settings, hackers can redirect you to pages controlled by them when you try to visit popular online services, and they can ensure that you will still see the correct string of characters in your address bar. This means that it's almost impossible to realize that you are targeted by a DNS hijacking attack.

With the current campaign, the crooks are distributing a relatively new strain of information-stealing malware called Oski, and to ensure that their victims double click on the malicious executable, they are also exploiting people's fear around the coronavirus pandemic.

Where does COVID-19 come in?

Bitdefender's researchers published a list containing some of the domains that are affected by the current campaign, and in it, we can see a few URL shortening services, Reddit's official blog, the websites of Disney, the University of Washington, and the University of Florida, as well as a seemingly random collection of online portals that promote anything from software products to adult videos. Instead of trying to mimic the appearance of the legitimate services, however, the crooks have taken a different approach.


Victims of the current DNS hijacking campaign see a fake message from The World Health Organization. Source: Bitdefender

Victims are greeted with a message that purportedly comes from the World Health Organization. It urges them to download an app that provides "the latest information and instructions" surrounding the current coronavirus pandemic. There is a Download button, and if users hover over it, they might be fooled into thinking that they'll land on Google Chrome's official website, which, while confusing, is unlikely to set off any immediate alarm bells. After carefully analyzing the code, however, the researchers found out that an "on-click" event redirects the victim to a malicious executable hosted in a BitBucket repository.

According to Bitdefender, at least three repositories were used during the campaign. Two of them were closed before the researchers managed to examine the telemetry, but the third one was still open, and it revealed that at the time, just under 1,200 users had downloaded the Oski information stealer. Those of them who ran the file and infected their computers inadvertently put at risk the passwords stored in their browsers as well as their cryptocurrency wallets.

The really unfortunate thing is that although it's a relatively sophisticated attack that is next to impossible to detect for the average user, falling victim to this particular DNS hijacking campaign is extremely easy. The only thing you need to ensure is that remote access to your router is reliant on a unique, complex password that is practically impossible to brute-force.

March 27, 2020
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.