A web hijacker has been opening victims' browsers — without their consent — and displaying a window inviting users to download a COVID-19 information app that sneakily claims to be spearheaded by the World Health Organization (WHO), Bleeping Computer reports.
This has been happening for the past five days, and if one clicks on the "download" button, he or she will end up with information-thieving malware on their computer.
- Google uses AI to crush malware hiding in Gmail attachments
- Mac threats surpass Windows for first time after 400% spike
- 'Millions' of Windows, Linux system open to attack due to risky firmware
Bleeping Computer first thought Vidar, a data-stealing malware cocktail that swipes your online information and digital wallet, was behind the malicious app. But Twitter user fumik0_, an independent security researcher, told Bleeping Computer that Oski, another information stealer, is the culprit here -- not Vidar.
Laptop Mag reached out to fumik0_ on Twitter for more information regarding this COVID-19 Inform app trap; The expert told us that DNS server hijacking is a process used by these hackers to infect users' devices with malware.
"Basically, DNS hijacking is a known malicious technique that's been used for years," fumik0_ told us. He explained to us that, when you type in a request for a website on your browser, a DNS server's job is to hook you up with the correct IP address for your desired online destination.
"Now imagine that the server[s] are malicious," fumik0_ explained. "When you request a domain, besides sending you the correct server, it will also redirect you to a malicious one that will suggest you to download and execute something harmful."
Downloading something like the COVID-19 Inform app, fumik0_ added, could grab valuable information such as your login credentials, credit card data, cryptocurrency info and more.
The independent security researcher went on to say that it's unclear what caused users' DNS servers to become compromised, but as BleepingComputer wrote, victims admitted that their router enabled remote access with a weak admin password.
"Users that installed those routers didn't change the default login/password," fumik0_ said. "So with a simple brute-force attack -- just trying out all kinds of default credentials -- cybercriminals logged into them and changed the 'good' DNS server IPs with a 'malicious' one."
If you've been getting the annoying COVID-19 Inform window, here's a quick fix, according to BleepingComputer:
- Login to your router
- Navigate to your DNS settings and ensure that there are no servers configured manually, especially 220.127.116.11 and 18.104.22.168.
- If they are configured manually, set the DNS servers' settings to Automatic or ISP assigned.
- Save your configuration
The moral of the story here is clear: Change your default passwords and use a strong combination of characters that would make a hacker sweat.