Home router DNS attack redirects users to a malicious Covid-19 app download page

Hackers are taking advantage of Covid-19 fears

By Cohen Coberly March 26, 2020, 16:22

Home router DNS attack redirects users to a malicious Covid-19 app download page

Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.

In context: The coronavirus pandemic is certainly no joke at this point – it's killed thousands of people across the globe, and it continues to spread at an alarming rate. Naturally, the virus' growth has people scared, and some bad actors are choosing to take advantage of those fears to further their own interests.

As reported by Bitdefender researchers on Wednesday, a new attack has come to light that uses DNS hijacking to redirect users to a web page that offers a Covid-19 informational app download. Unfortunately, users who fall for this scheme won't be downloading anything beneficial it all – instead, their system will be infected with malware, which proceeds to snag information like cryptocurrency wallet credentials and other private data.

According to Bitdefender, the hack is likely accomplished by hackers who "probe the internet" for vulnerable routers and use brute-forcing techniques to guess control panel passwords (which isn't terribly difficult to do, as many users leave these credentials as "admin" and "password"). Once an attacker has access to your router control panel, changing your DNS settings is a trivial process.

Bitdefender explains the hack as follows:

DNS settings are very important, as they work like a phone book. Whenever users type in the name of a website, DNS services can send them to the corresponding IP address that serves that particular domain name. In a nutshell, DNS works pretty much like your smartphones agenda: whenever you want to call someone you just look up their name instead of having to memorize their phone number.

Once attackers change the DNS IP addresses, they can resolve any request and redirect users to webpages that attackers control, without anyone being the wiser.

The malware is being stored in Bitbucket repositories, but the links are cloaked using TinyURL to prevent users from suspecting "foul play." Some of the domains that are being targeted for malicious redirects include goo.gl, bit.ly, washington.edu, cox.net, and aws.amazon.com.

Bitdefender researchers believe that roughly 1,200 people have been impacted by this attack, and the team has found four separate malicious Bitbucket repositories so far. Geographically speaking, most victims appear to hail from the United States, Germany, and France.

If you're worried about this attack, Bitdefender recommends changing your router control panel login credentials, updating your router firmware, and, of course, downloading a robust antivirus software suite if you don't already have one. For the time being, it seems Linksys routers are being targeted the most, but that might change down the line.

Image credit: Aquarius Studio

5 comments 240 likes and shares

Tech Jobs: Find the next step in your career

Related Stories

Featured on TechSpot