Hackers Infect Routers; Deploy COVID-19 Malware

John Lister's picture

A new attack on Internet users combines multiple tactics into a nasty strategy. The scam includes hacking routers, redirecting users to bogus sites, and preying on fear to trick people into installing malware.

The first step in the attack involved the hackers taking control of home and small business routers, with Linksys and D-Link models targeted.

Exactly how they are doing this isn't certain, but it appears to involve a brute force attack through the optional feature that lets users access their router settings from any Internet-connected computer. Brute force is effectively an automated version of guessing possible passwords until one works. (Source: bitdefender.com)

Once the hackers can control the router, they change the default DNS server. That works a little like a phone book for the Internet and turns a website address (such as www.infopackets.com) into an IP address, which identifies the server where the webpage files are physically stored.

Clean And Dirty Sites Both Affected

The hackers switch the router to a bogus DNS server which for most sites works normally, but for some designated sites will instead take the victim to a bogus page. The sites range from family fare such as Disney to some sites very much not aimed at a family audience. For the most party, the site will look just like the real thing and display the "correct" details in the browser bar.

The difference is that the bogus page has a pop-up windows that claims to offer an app from the World Health Organization giving the latest information about the COVID-19 coronavirus and asks for permission to download and install it. The app is nothing of the sort and instead is designed to download malware that's designed to retrieve sensitive data such as login details and pass it on to the scammers. (Source: arstechnica.com)

How To Reduce Risk Of Attack

The main action users should take to prevents such attacks is to disable remote access to their routers (I.E. from outside their home network). Users who need to use this feature should choose as secure a password as possible, meaning longer, with a mix of letters, numbers and symbols, and avoiding dictionary words.

Given such attacks are underway, it's also worth checking router software is up to date, using security tools that scan downloaded files), and taking an extra moment to think carefully about what you download.

What's Your Opinion?

Do you know whether your router has remote login enabled? Should the feature be off by default as a security measure? Have you come across any other COVID-19 related tech scams?

Rate this article: 
Average: 5 (8 votes)


Doccus's picture

The cable company only offers wireless modems nowadays, although we have no need of the wireless component & just use the wired in option. How does one go about disabling remote access in the first place? We probably still have the default password too, but if remote access is disabled how do we change any settings? When it comes to network settings I'm somewhat clueless, so any help would be appreciated..

Dennis Faas's picture

The majority of routers do not allow remote access management (I.E: access to ther router outside of the local network). That said, some routers do offer this feature. Even so, remote access management should not be enabled by default otherwise it would be a massive security risk.

To see if remote access management is enabled (or if the feature exists), you would have to login to your router administration page, otherwise known as the network gateway. Since router administration pages vary by manufacturer it is not possible to provide a step-by-step tutorial on how to do this.

You can find the network gateway by opening a command prompt, then type in:

ipconfig |findstr -i gateway

You will need the router administration user name and password to login to the router. From there you will have to flip through the router admin pages to see if you can find anything related to remote access management, then disable it.