Hackers Hijack Routers' DNS To Spread Malicious COVID-19 Apps

An anonymous reader quotes a report from Bleeping Computer: A new cyber attack is hijacking router's DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Oski information-stealing malware. For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a 'COVID-19 Inform App' that was allegedly from the World Health Organization (WHO). After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers. As most computers use the IP address and DNS information provided by their router, the malicious DNS servers were redirecting victims to malicious content under the attacker's control. "If your browser is randomly opening to a page promoting a COVID-19 information app, then you need to login to your router and make sure you configure it to automatically receive its DNS servers from your ISP," the report says. It also recommends you set a strong password for your router and to disable remote administration.

"Finally, if you downloaded and installed the COVID-19 app, you should immediately perform a scan on your computer for malware. Once clean, you should change all of the passwords for sites whose credentials are saved in your browser and you should change the passwords for any site that you visited since being infected."

Re:

[hey!]

8% mortality is a "virtual death sentence"?

Actually *living* is a virtual death sentence. The probability that a 71 year-old man will die in the next year is a little over 2%.

Re:

[moxrespawn]

It's almost like the flesh profits nothing, or something.

I'll be defending the virtual side against malicious apps, and related hazards.

Re:

[OneHundredAndTen]

This is especially sad news, because at age 71, this is a virtual death sentence for Prince Charles.

Don't be ridiculous - even among those above 70 the mortality rate is less than 10%.

Re:

[hey!]

Russian trolls have been active in the crisis, but this sounds more like an organized crime. The effect is to obtain things have economic value, like cryptocurrency wallets and login credentials.

State sponsored trolls are more interested in non-tangible things, like public trust in national institutions.

Fuck people

[AndyKron]

Jesus Fucking Christ.

Hackers Hijack Windows NCSI active probes

[notdecnet]

Hijack Windows NCSI active probes:

“When a computer connects to a network, Microsoft utilizes a feature called 'Network Connectivity Status Indicator (NCSI)' that is used to periodically run probes that check whether a computer is actively connected to the Internet.”

“In Windows 10, one of these active probes will be to connect to the http://www.msftconnecttest.com... [msftconnecttest.com] site and check if the returned content contains the string 'Microsoft Connect Test'.”

Veloop hacked

[cmh_ender]

This happened to me. I have a Veloop system from Linksys, the default admin code is printed on the router and is around 10 alphanum characters long. only way to change settings is through their app. I spent most of monday troubleshooting crappy internet and now I know why. i fixed it with a hard reset back to factory settings and was mad but forgot about it until today. I'll be switching to more robust hardware asap.

Always the bad grammar

[eap]

This is the popup users see: "Install this app, to have the latest information and instructions about coronavirus (COVID-19).".

Such things always employ bad grammar and/or spelling. In this case it's the extraneous comma. The dumber users cannot spot this, and it's part of the reason they fall for things like this or QAnon, for instance.

Most of these router exploits are based on existing remote access vulnerabilities or default passwords anyway.