Hijacked Routers Steering Users to Fake COVID-19 Sites
Cybercriminals are waging brute-force attacks that enable them to change DNS settings on home and small business routers to redirect victims to fake/bogus COVID-19 websites that push an “infostealer” malware, according to the security firm Bitdefender. These DNS hijacking attacks, which are mainly targeting users in the U.S., France, and Germany, come at a time when the COVID-19 pandemic is forcing more employees to telework, which means they’re relying on home routers to conduct business.
“With employees working from the comfort of their own home, attackers could use these attacks on home routers that are not properly secured to compromise work devices and gain access to sensitive data or phish employee credentials and use them to connect to the employer’s infrastructure,” Liviu Arsene, a senior cybersecurity analyst at Bitdefender, tells Information Security Media Group.
U.S. Sen. Mark Warner, D-Va., the vice-chair of the Senate Intelligence Committee, sent letters to Google and other tech firms asking them to ramp up the security of their devices as a way to counter some of the security concerns raised by the work-at-home movement. “Given the increased reliance on home networks for telehealth, distancing learning and telework, I also ask you to consider public outreach to alert your customers to steps they can take to better secure these products, including applying security updates,” Warner wrote.
WHAT HAPPENS WHEN YOUR ROUTER IS ATTACKED?
According to an Avast Blog, this means that the router has been hacked and the DNS settings have been modified to serve hacked contents to a cyberthief. This is a pretty serious situation. When hackers exploit router vulnerabilities, gain access to it, and modify the DNS servers settings, all your Internet traffic can be forwarded to rogue servers. This is called a man-in-the-middle attack.
Instead of connecting to a clean site or service, when your router is hacked, you’ll visit a rogue and hacked one. It’s obvious that your privacy will be violated, and your banking information could be captured – by the man-in-the-middle mentioned above. Even the usually secure SSL, the HTTPS protocol we have all been instructed to look for to indicate a secure site, won’t assure you’re protected. Instead, you’ll be proxied through malicious servers and the encrypted connection is cut in the middle. This illustration shows what happens.
This could also happen if your router is set to default/weak/factory password. So, the worst scenario of hacking is not that uncommon. See the latest news about webcams being hacked because of the owner’s using default passwords. Vincent Steckler, CEO of Avast, told VentureBeat that consumers are notorious for not updating default passwords, just as I’m talking about here. Some 63 percent of wireless routers run with default passwords, says Steckler.
The problem goes further than just one user or one device. The malicious effects can spread to all users in the local network, regardless of the operating system used, says the Avast Blog.
HOW TO IDENTIFY THREAT:
In its new research report, Bitdefender says that about 1,200 users have fallen victim to this DNS hijacking scheme since March 18.
Attackers appear to be using brute-force methods to guess combinations of names and passwords for these routers so they can change the settings, according to Bitdefender. Once the settings are changed, the traffic from the hijacked router is steered through the attackers’ own server, giving them the ability to manipulate what websites the victim can access, according to the report.
The Bitdefender researchers note that the IP address for these malicious DNS servers is listed as 220.127.116.11 and 18.104.22.168.
Additionally, Bitdefender research finds that victims who have had their router’s settings changed are pointed to the fake COVID-19 information site if they attempt to access one of these domains: aws.amazon.com, goo.gl, bit.ly, washington.edu, imageshack.us, ufl.edu, disney.com, cox.net, xhamster.com, pubads.g.doubleclick.net, tidd.ly, redditblog.com, fiddler2.com, and winimage.com. If the user attempts to click on the COVID-19 application offered by the spoofed WHO page, they are guided toward a Bitbucket page. This downloads the malware onto their device, which then starts sending stolen data back to a command-and-control server, according to the report.
HOW TO PROTECT AGAINST THIS THREAT:
According to the Avast Blog…
By default, your router uses DNS servers automatically acquired from your Internet provider. All the devices on your network — PCs, smartphones, tablets, game consoles, and anything else connected to the network — get their DNS server from the router. You can change the DNS server on your router, therefore changing every other device on your network.
There are several good articles on the Internet about changing your DNS. Here’s one from howtogeek.com.
You also need to pay attention to your browser address bar. The HTTPS indicator should be there all the time. If it comes and goes, you may have already been compromised. In these cases, or for any other strange symptom you could be experiencing: Disable your Internet connection immediately and change the router username and password to unique ones (consult the router manual for instructions).
But, be warned, neither of these will be enough because if the router is vulnerable, it will take the attacker no time to change the settings back. Updating the router firmware or even changing it completely – as described in a previous AVAST article – will be necessary.
Please check back for more info on this subject as it occurs!