Hackers are using the fear of current Coronavirus (COVID-19) outbreak as bait for cyberattacks, be it exploiting the Coronavirus Maps to steal user information, or fake Coronavirus Tracking App to lock up Android devices, or malicious Android app that promises to get Coronavirus safety mask, or the reported hacking attempt against the World Health Organization (WHO).
In a newly discovered cyberattack campaign, researchers have found that hackers are reportedly hijacking router’s DNS settings so that web browsers display fake WHO COVID-19 alerts and redirect Windows computer users to malicious content.
According to BleepingComputer, victims of the campaign witnessed their web browsers opening automatically and displaying a message that instructs them to download a “Emergency – COVID-19 Informator” or “COVID-19 Inform App” that was allegedly from the WHO. In reality, the fraudulent app is the information-stealing malware called Oksi.
On further investigation, it was found that these alerts were a result of a cyberattack that changed the DNS servers configured on the victim’s home D-Link or Linksys routers to use DNS servers operated by the attackers.
Since most computers use IP address and DNS information provided by their router, the malicious DNS servers redirected victims to malicious content under the attackers’ control, according to experts.
For those unaware, Oksi is capable of stealing browser-based data — including cookies, internet history, and payment information — as well as saved login credentials, cryptocurrency wallets, text files, browser form autofill information, and Authy 2FA authenticator databases.
It is still unclear how the attackers gained access to the affected routers but some users state that they had left their remote access capabilities open enabled with a weak admin password.
“This attack highlights the need for people to make sure they change the default username/password for their home router, as a number of the affected users admitted having a weak or default combination,” said Laurence Pitt, global security strategy director at Juniper Networks. “Most internet providers today provide routers that have a decent strength default security setup. It appears that this attack has targeted a certain brand of router, [which] would also indicate that users have left the default admin/password combination to access the device.”
According to BleepingComputer, when a computer connects to a network, Microsoft uses a feature called ‘Network Connectivity Status Indicator (NCSI)‘ to check for internet connectivity.
In this case, instead of connecting to the legitimate Microsoft IP address, the malicious DNS servers sends the user to a hacker-controlled site that displays the alert to download and install a fake ‘Emergency – COVID-19 Informator’ or ‘COVID-19 Inform App’ from the WHO.
If a user downloads and installs the application, instead of receiving a COVID-19 information app, the Oski information-stealing Trojan will get installed on their computer.
When launched, this malware will attempt to steal information such as browser cookies, browser internet history, browser payment information, saved login credentials, cryptocurrency wallets, text files, browser form autofill information, Authy 2FA authenticator databases, a screenshot of the user’s desktop at the time of infection, and more.
This stolen information is then uploaded to a remote server where the attackers collect the data to perform further attacks on the victim’s online accounts to steal money from bank accounts, perform identity theft, or further spear phishing attacks.
If your browser is randomly opening a COVID-19 information app promotional page, ensure that you reconfigure your router so that it can automatically receive its DNS servers from your ISP. It is also advisable to reset your password to a stronger one and disable remote administration on the router.
For those who have downloaded and installed the COVID-19 app, perform a malware scan immediately on your computer. Once clean, ensure that you change passwords for all the sites whose credentials are saved in your browser as well as the sites you visited after being infected. Most importantly, make sure to use a unique password at every site while resetting your passwords.