Business Continuity Management / Disaster Recovery , COVID-19 , Cybercrime

Hijacked Routers Steering Users to Malicious COVID-19 Sites

Researchers: Cybercriminals Use DNS Hijacking to Spread New Type of Infostealer
Hijacked Routers Steering Users to Malicious COVID-19 Sites
DNS hijacking victims are being steered toward spoofed WHO sites that contain malware. (Source: Bitdefender)

Cybercriminals are waging brute-force attacks that enable them to change DNS settings on home and small business routers to redirect victims to fake COVID-19-themed websites that push infostealer malware, according to the security firm Bitdefender.

See Also: The State of Organizations' Security Posture as of Q1 2018

These DNS hijacking attacks, which are mainly targeting users in the U.S., France and Germany, come at a time when the COVID-19 pandemic is forcing more employees to telework, which means they’re relying on home routers to conduct business (see: COVID-19 Response: How to Secure a 100% Remote Workforce).

"With employees working from the comfort of their own home, attackers could use these attacks on home routers that are not properly secured to compromise work devices and gain access to sensitive data or phish employee credentials and use them to connect to the employer’s infrastructure," Liviu Arsene, senior cybersecurity analyst at Bitdefender, tells Information Security Media Group.

DNS Hijacking

In its new research report, Bitdefendner says that about 1,200 users have fallen victim to this DNS hijacking scheme since March 18.

The cybercriminals are using DNS hijacking to steer users to sites that spoof messaging from the World Health Organization and purport to have new details about COVID-19 pandemic, according to the report. If a victim downloads an application from the spoofed site, they actually install a new malware variant called Oski, according to Bitdefender.

Independent security researcher Aditya K. Sood, who first spotted Oski in December 2019, reports that the malware is sold on Russian underground forums. This infostealer can collect account credentials, payment card numbers and data from cryptowallets, Sood reports.

In DNS hijacking campaigns, attackers manipulate records so they can see traffic flowing to a particular website or service. With the right tools, attackers can also set an IP address for a domain name that is different than the legitimate address but is almost impossible for end users to see (see: Recent DNS Hijacking Campaigns Trigger Government Action).

Routers Targeted

Cybercriminals waging the ongoing campaign are targeting Linksys routers, according to the research report, although Bleeping Computer reports that D-Link routers are affected as well.

Attackers appear to be using brute-force methods to guess combinations of names and passwords for these routers so they can change the settings, according to Bitdefender. Once the settings are changed, the traffic from the hijacked router is steered through the attackers' own server, giving them the ability to manipulate what websites the victim can access, according to the report.

The Bitdefender researchers note that the IP address for these malicious DNS servers are listed as 109.234.35.230 and 94.103.82.249.

The Bitdefender research finds that victims who have had their router's settings changed are pointed to the fake COVID-19 information site if they attempt to access one of these domains: aws.amazon.com, goo.gl, bit.ly, washington.edu, imageshack.us, ufl.edu, disney.com, cox.net, xhamster.com, pubads.g.doubleclick.net, tidd.ly, redditblog.com, fiddler2.com and winimage.com.

"Whenever the victims wanted to visit one of the targeted websites, they would be redirected to an attacker-controlled webpage that looks like a message from the World Health Organization, instructing the victim to download an application that offers the latest updates on Coronavirus infections," Arsene says.

If the user attempts to click on the COVID-19 application offered by the spoofed WHO page, they are guided toward a Bitbucket page. This downloads the malware onto their device, which then starts sending stolen data back to a command-and-control server, according to the report.

The Bitdefender analysis found there are at least four of these malicious Bitbucket pages active, which means the actual number of victims could be higher than 1,200.

Security Starts at Home

The COVID-19 pandemic has opened many new avenues for attackers and cybercriminals (see: COVID-19 Phishing Schemes Escalate; FBI Issues Warning).

Earlier this week, U.S. Sen. Mark Warner, D-Va., the vice chair of the Senate Intelligence Committee, sent letters to Google and other tech firms asking them to ramp up the security of their devices as a way to counter some of the security concerns raised by the work-at-home movement.

“Given the increased reliance on home networks for telehealth, distancing learning and telework, I also ask you to consider public outreach to alert your customers to steps they can take to better secure these products, including applying security updates," Warner wrote.


About the Author

Apurva Venkat

Apurva Venkat

Special Correspondent

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at companies such as IDG and Business Standard where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.