An opportunistic cyberattack was discovered this week, targeting people's home routers to send them to malicious, coronavirus-related websites. The attacks convince users to download a malware file from Bitbucket, a popular file-sharing site, and eventually leads to stealing the user's information from their browser.
This type of online scam is referred to as phishing. The process usually involves tricking a user with a site or web form that looks legitimate to convince them to enter information into a field. That information is then either used to gain access to a user's account without them knowing and often sold to another entity. This particular type of phishing is unique both in its relationship to a commonly researched topic in COVID-19 and also due to the execution of the attack.
While most phishing scams trick people into clicking malicious links from emails, this one attacks the person's router first. By infiltrating the router, it can change where the user lands when they travel to a specific site. A person opens a browser, types in the address of the desired website, and instead, a convincing "Warning" from the World Health Organization appears, instructing the user to download a file that will help keep them informed about the coronavirus pandemic. A list on Bitdefender outlines many popular websites the attacks can redirect users from, including "disney.com", "goo.gl", and "aws.amazon.com". Throughout the entire process, the user's address bar still shows the intended site to which they planned to travel, even though the information served is clearly not the real website. It's a unique type of cyber attack and a reminder to remain vigilant online.
How to Protect Yourself from DNS Hijacking
Investigations into how the attackers are breaching people's router settings to get into their DNS menus are still ongoing but all current signs suggest they're "brute forcing" people's passwords. That means they're running software that tries various combinations of passwords and user names until they guess the correct one. This is one of the many online threats that can be avoided by simply choosing strong passwords and changing them often. Coronavirus-related attacks are becoming increasingly common so it's also important to check sources for any related news. If the link is not from a credible news source, don't risk clicking it. It may also be smart to establish a familiarity with the official World Health Organization website and rely on information from there primarily.
The attackers also seem to specifically target Linksys routers, which are known for having a console in the cloud that can change a user's settings. The attacks may take advantage of a security hole through that avenue. That means people should be sure to change their router login information and their Linksys cloud credentials to something secure. Staying up to date with router firmware patches can also help, as companies will use these updates to add security measures whenever they discover threats. Lastly, anti-phishing software or a browser that flags phishing sites are great solutions as well.
Source: Bitdefender