Home router DNS attack redirects users to a malicious Covid-19 app download page

Polycount

TS Evangelist
Staff member

As reported by Bitdefender researchers on Wednesday, a new attack has come to light that uses DNS hijacking to redirect users to a web page that offers a Covid-19 informational app download. Unfortunately, users who fall for this scheme won't be downloading anything beneficial it all -- instead, their system will be infected with malware, which proceeds to snag information like cryptocurrency wallet credentials and other private data.

According to Bitdefender, the hack is likely accomplished by hackers who "probe the internet" for vulnerable routers and use brute-forcing techniques to guess control panel passwords (which isn't terribly difficult to do, as many users leave these credentials as "admin" and "password"). Once an attacker has access to your router control panel, changing your DNS settings is a trivial process.

Bitdefender explains the hack as follows:

DNS settings are very important, as they work like a phone book. Whenever users type in the name of a website, DNS services can send them to the corresponding IP address that serves that particular domain name. In a nutshell, DNS works pretty much like your smartphones agenda: whenever you want to call someone you just look up their name instead of having to memorize their phone number.

Once attackers change the DNS IP addresses, they can resolve any request and redirect users to webpages that attackers control, without anyone being the wiser.

The malware is being stored in Bitbucket repositories, but the links are cloaked using TinyURL to prevent users from suspecting "foul play." Some of the domains that are being targeted for malicious redirects include goo.gl, bit.ly, washington.edu, cox.net, and aws.amazon.com.

Bitdefender researchers believe that roughly 1,200 people have been impacted by this attack, and the team has found four separate malicious Bitbucket repositories so far. Geographically speaking, most victims appear to hail from the United States, Germany, and France.

If you're worried about this attack, Bitdefender recommends changing your router control panel login credentials, updating your router firmware, and, of course, downloading a robust antivirus software suite if you don't already have one. For the time being, it seems Linksys routers are being targeted the most, but that might change down the line.

Image credit: Aquarius Studio

Permalink to story.

 
But how is the attack initiated? what causes this DNS hijacking, I mean the user must click a link or visit a website, or execute a commend one way or another, don't you think? I think this article is incomplete for leaving out whatever it is that triggers such attack.
 

wiyosaya

TS Evangelist
I use a linux distro running on a PC for my router. The firewall rules are set to ignore all external attempts to connect to this PC. All "routers", IMO, should be employing this tactic, too. If someone really needs to change those rules to allow outside connections to a specific port, there are plenty of instructions to do so out there - even for the not so computer literate.
 
  • Like
Reactions: jobeard

wiyosaya

TS Evangelist
In Bitbucket? So it's an open-source malware? Nice.
As I see it, not really. Scammers are taking advantage of Bitbucket's free accounts. On any such service, that would be difficult to stop because if one account is killed, another pops up. It sounds like it may be an electronic game of wack-a-mole. IMO, Bitbucket is not to blame for what the scammers are doing with their free accounts.