Hackers in Your Home – DNS Hijacking

Eli Dominitz
May 20, 2020
Read Time: min

Hackers can infiltrate people’s home networks through their routers using an attack called DNS Hijacking. This type of attack changes the router’s DNS settings to display malicious webpages chosen by the attacker. While this type of attack is not new, it has been more widely used over the past few months during the COVID-19 pandemic.

DNS Hijacking attacks are designed to trick the victim into thinking that he / she is receiving an emergency update or to display fake webpages similar to those frequently visited by the victim (e.g., online banking ). Once the user is directed to these mock pages, he / she is instructed to enter login information or personally identifiable information (PII) which is then sent back to the attacker, or to download a malicious payload.

With many more millions of people currently working from home on their own network hardware, DNS Hijacking poses an immediate threat both to individuals and their employers. In a typical corporate setting, an attacker must bypass various safeguards in order to penetrate the network. Home routers, on the other hand, are typically set up right out of the box with default settings and not properly configured or updated over time.

W.H.O. Themed Attacks

In recent DNS Hijacking attacks, attackers have been targeting Linksys and D-Link routers to serve a mock World Health Organization webpage that hosts Oski infostealer designed to extract browser credentials and other victim data. In some cases, the attackers simply scan the internet for vulnerable routers and attempt to brute-force weak administrative passwords.

Once the router is compromised and the DNS setting has been changed, a malicious page is displayed instructing the victim to download an application from the W.H.O. to receive important information related to the COVID-19 pandemic. Once the user clicks on the link, he / she is redirected to a Bitbucket page to install the malicious application.

Since the router itself is compromised, the user may never see any form of antivirus notification. The attack targets the router directly by compromising it, changing its default DNS settings to display webpages of the attacker’s choosing, and hosting the malware outside of the network on cloud-based infrastructure. This makes these types of attacks much more difficult to detect.

These attacks targeting consumer routers are often abusing vulnerabilities in outdated firmware or in default settings on the router. With more people teleworking than ever before, this has become greater for corporations and organizations that cannot monitor or control their employees’ home networks and router configurations. They can, however,  take steps to ensure that employee devices are properly secured and connections to corporate networks are secured and monitored.

Manage PPP loans through forgiveness
learn more


Individuals can take steps to prevent DNS hijacking attacks. Here are some recommendations geared towards both employers and home users below:

For employers:

  • Educate employees about the risk of DNS hijacking attacks and communicate best practices that include the recommendations below.

For home users / small businesses:

  • Apply router firmware updates.
  • Change router’s control panel access credentials.
  • Changing any default administrative credentials to complex passwords.
  • Periodically check what server is making your DNS requests by visiting whoismydns.com. If the company does not look familiar (typically your ISP) and the DNS server was not configured manually, this may indicate a DNS hijack on your home router.


About the Author

Eli Dominitz

Founder & CEO | Q6 Cyber
Eli Dominitz is the Founder & CEO of Q6 Cyber, an e-crime intelligence company based in the USA and Israel. Through a combination of proprietary technology and human analysts, Q6 monitors the “Digital Underground” (DarkWeb, DeepWeb, malware networks and infrastructure) to collect targeted and actionable e-crime intelligence used to proactively

Full Bio

About Abrigo

Abrigo is a leading technology provider of compliance, credit risk, and lending solutions that community financial institutions use to manage risk and drive growth. Our software automates key processes — from anti-money laundering to fraud detection to lending solutions — empowering our customers by addressing their Enterprise Risk Management needs.

Make Big Things Happen.


Looking for Banker’s Toolbox? You are in the Right Place!

Banker’s Toolbox is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to Banker’s Toolbox Community Online.

Make yourself at home!