A team of information security experts revealed a large-scale security attack launched by a professional hacker group, against domestic workers, by attacking and robbing home data routers to change the domain names that home workers use during their work, as well as changing Counterfeiting the digital addresses of these domains to appear natural, familiar and legitimate to victims, while they are digital addresses and domain names owned and managed by pirates. It aims to trick users into downloading criminals malware as applications and programs issued by the World Health Organization, specialized in providing information and services related to medical care and corona prevention, but in reality it is penetration, spyware, and advanced data theft that enables theft Sensitive and financial data, for robbery, sabotage of data, and remote control of computers.
The new attack
The team that exposed the attack belongs to the company «Findfinder Lab» specialized in information security, which provides a free open source security software package with the same name. The team released the details of this attack in a report that is updated daily on the company's official blog: (labs.bitdefender.com). The report pointed out that the attack began on March 18, and escalated to reach its climax on the 23rd of the same month, and is still continuing until now.
He added that the new attack is carried out according to elaborate hoax tactics, in which tens of thousands of people working from home occurred, 73% of whom live in France and the United States, and they are among the countries most affected by the Corona virus today.
Description of the attack
The expert team described the attack as exploiting a security vulnerability or vulnerability in the Linksys router used in the home router, in order to deceive users who work from home.
And the team indicated that the process of deception is based on manipulating the type of information that appears in front of them on the screen, whether on the browsers of the "web", or in the settings of the device itself, explaining that this information relates to two things, the first is the domain names indicating the sites the user visits, while The second is the digital addresses of these sites, which can be recognized through the settings of the browser, or the settings of the "router" itself.
He added that manipulation is done by showing the correct domain names, sound digital addresses in front of the victim, and giving orders to the "router" to direct the user to domain names and digital addresses belonging to the pirates, who hidden them inside the "router", so that the user does not see them, and thus instead of going The user, to the sites whose real addresses and domain names appear in front of him, goes to fake phishing sites designed, owned, and managed by pirates.
Matching sites
Experts pointed out that by tracking these sites, they found that they are designed to appear identical to the pages of the WHO website and the sites of some other trusted bodies, visited by millions of users around the world, where the pages of this fraudulent site offer real and real information about the Corona epidemic. , How to prevent it, medical care when infected and others.
They explained that among this real information, the pirates cultivate a small key, which they know as a key to download an application or program, designed by the World Health Organization, to communicate with it, and to learn the latest developments about the "virus", and it can be downloaded for free, quickly, and through simple steps, to benefit from it.
Experts stated that by clicking on the indicated download key, the user has brought to his device a very dangerous load of malware, which varies between spyware, remote computer control programs, and sensitive data theft programs.
Protection tips
Information security company «Bitfinder Lab» made three recommendations to protect from a new attack targeting home “routers,” the first to open the router’s settings page, and change its credentials, such as the password and username, as well as change the credentials The user account on the Linksys cloud computing service.
The second recommendation is to update the firmware of the "router", while the third recommendation focused on using one of the recommended insurance software packages, which includes protection from exposure to fraud sites, and prevents the downloading and installation of malware.