Hackers always exploit vulnerabilities in architectural designs of IT devices and their unsuspecting users (individuals, organizations, corporations). As the world is currently at a standstill as a result of the Coronavirus (COVID-19), it is no better time to have unsuspecting users waiting to be preyed on. The past seven days has seen reported cases of intentional break-in into people’s network routers, leading to changes in their DNS settings that enhance the direction of device users to coronavirus themed sites hosting malware.
How the Attack Works
If you are using a D-Link or Linksys routers, now is the time to ensure that you are not using the default password, or your password is not weak. This is because the reports from Bitdefender, a cyber-security firm, suggest that these hackers use brute-force to guess the password of users. Once they are in, they change the DNS setting of the router.
A DNS (Domain Name System) is responsible for matching addresses of websites to their respective IP addresses. When it is corrupt, a particular address of a website will point to an IP address that is totally different from the real one. In this case, the hackers are redirecting internet traffic intended for Disney, Amazon, Reddit, Cox, University of Florida, University of Washington and many more sites to a custom website with a message that prompts users to install an application that will give them latest information about COVID-19.
Bitdefender and Bleeping Computer claim that this app, once installed, comes with the Oski Trojan. Oski is an infostealer that steals account credentials from browsers and digital wallets, and these credentials are used to hack cryptocurrency accounts.
For now, D-Links and Linksys routers are the target routers. This might be because their Wi-Fi routers come with a remote access function that is enabled by default. Below are four steps to take to avoid being a victim:
- The first thing to do is to check if you have in fact been hacked, check the DNS setting of your router for IP address of these kind: 22.214.171.124 and 126.96.36.199. If you see it, delete them, restart the router and restart any system that was previously connected to the router.
- If you haven’t changed the default administrative password of your router, ensure you do that. And if your password is weak, ensure you change it to a stronger one.
- Avoid storing your credit card numbers, passwords to your digital wallet and other important details in your browser. This is the end target of the attack, though it is expected that new methods will be devised by hackers.
- Lastly, ensure that you are on the lookout for any advert asking you to download applications that has to do with Coronavirus. If you have a good antivirus program installed on your system, it will likely help in detecting malware downloaded from these types of campaigns. But they cannot in anyway fix the attack on your DNS setting – the responsibility is yours.