What's new

Does mistyping the router URL browse to a malware site?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

OzarkEdge

Part of the Furniture
One URL for accessing an ASUS router webUI is router.asus.com. When I mistype it as asus.router.com, I arrive at the following AWS site which I promptly leave. A subsequent Win10 Defender scan finds nothing. I'm thinking it's a bogus alert designed to trick the user to proceed... what do you think?

Screenshot 2023-01-31 093636.jpg


For reference, here's the URL for the above scam site (****=http):

****s://d2b6883f-c83a-473f-a0dc-7d27868bd2c2.s3.ap-northeast-2.amazonaws.com/%26%5E%5E%25%24%5E%26%5E%23%23%25%5E%40%25%40%25%24%5E%24!%26%23%40%25%24%26%23%5E%40%5E%24%24%24%24%25%26%5E%25%25!%26%25%40%24%5E/index.html?C=Columbia&S=12253792079&Q=router.com&SR=397303&IP=belkin%20wireless%20router%20setup&RE=23.84.154.158&KEY=65202&Z=

OE
 
Last edited:
Yes, it is a bogus alert. But many people have called that number, given their credit cards, and have been scammed.
 
Yes, it is a bogus alert. But many people have called that number, given their credit cards, and have been scammed.

Thanks! I wonder why AmazonWS can't police their data centers for such nefarious use.

I'll stick to using the router LAN IP address... a typo is less likely to route to the WAN much less to a scam site.

OE
 
Last edited:
Thanks! I wonder why AmazonWS can't police their data centers for such nefarious use.

I'll stick to using the router LAN IP address... a typo is less likely to route to the WAN much less to a scam site.

OE
Or just filter out that URL in the firewall, easy to do via the GUI. Or enable Aiprotect and/or DNS filtering.
 
Last edited:

I can't imagine using the internet without ublock. When I do have to disable it for a particular site, the ads alone slow everything to a crawl. But that just demonstrates that you need many layers. Ublock won't catch everything, and in that case DNS filtering or Aiprotection might. Or vice-versa (as is the case here).

I do wish they had a way (or maybe I just haven't played with it enough) to more clearly differentiate a link that was blocked due to tracking or advertising from one blocked due to malicious intent. I.e. be able to set each list to bring up a different color screen or message etc. Obviously, I should just read, but I'm lazy or sometimes just doing things too quickly.
 
Thanks! I wonder why AmazonWS can't police their data centers for such nefarious use.


OE

Unfortunately that's like trying to play whack-a-mole with no arms.

I can spin up an AWS, Azure, or GCP site in a matter of a few minutes, even layer cloudflare in front if it to make it seem more legit, etc. All for little or no cost.

These cloud providers don't want to risk automatically filtering or shutting down something legit due to a false positive, so the only way to get them shut down is several people reporting the site to their abuse contact, and even then, who knows if/when it gets shut down. I'm sure they have some very basic "100% confidence" filters that detect extremely common, old, highly common malware, but from what I've seen, mostly a free-for-all.
 
Aiprotection

All modern browsers have Safe Browsing built-in, uBlock comes on top. With both running AiProtection won't catch anything. You can't even test it before disabling browser protection. Perhaps the reason some folks ask questions if it's working or not. I've only seen false positives from AiProtection.
 
All modern browsers have Safe Browsing built-in, uBlock comes on top. With both running AiProtection won't catch anything. You can't even test it before disabling browser protection. Perhaps the reason some folks ask questions if it's working or not. I've only seen false positives from AiProtection.

Eh I've seen it flag a couple sites even with 3 layers enabled in my browser (built in, ublock, and symantec endpoint protection). Plus DNS filtering enabled. I think only once or twice though, typo'd something and saw the Asus page come up and was surprised. Nobody catches 100%, so can't hurt. Though I tend to agree that the Trend is probably the least effective of all the layers I have, but it isn't currently hurting anything for me. One more company selling my data.
 
Personally, I don't type my router's address by hand; all such things are bookmarked in my browser, and I always use the bookmarks. Safer, easier, faster. Whether you set up the bookmark as a numeric IP or a name depends on how much you trust your DNS service.
 
I use Windows links to store everything.

This thread is a 'heads-up' about the phishing URL shaped like ASUS router access... not about typos.

OE
 
Has anyone else taken the time out to report this domain to godaddy (the registrar)?
 
Last edited:
AiProtection and Trend Micro Site Safety Center and CloudFlare DoT with security filter do not alert on it. I've reported it to TM and AWS.

OE

Update: It seems asus.router.com will browse to different destinations at different times... first was to the AWS site with the long address and the bogus 'you're infected' popup, both shown in post1 above... and it has also tried going to winsafe.xyz which AiProtection blocks and the TM site reports as a scam site.

AWS has acknowledged the AWS instance and is 'reaching out to that customer to determine what is going on with that AWS instance'... whatever that means. AWS asked for my consent to give my contact information to their customer... WTF?!

OE
 
Last edited:
AWS has acknowledged the AWS instance and is 'reaching out to that customer to determine what is going on with that AWS instance'... whatever that means. AWS asked for my consent to give my contact information to their customer... WTF?!

OE

AWS says they have dealt with it:

*****
Hello,

This is a follow up regarding the abusive content or activity report that you submitted to AWS. We have investigated this report, and have taken steps to mitigate the reported abusive content or activity.

We are committed to mediating reports of abusive content or activity to the satisfaction of both the reporters and our customers. If you believe the reported content or activity persists, or you are not satisfied with the resolution of this case, please reply directly to this message with more information. Your response should include the most recent activity logs or web location of the content that you have available that indicates that the activity or content persists, as well as a clear, succinct explanation of what you expect of us and our customer.

Thank you for bringing this matter to our attention.

Regards,

AWS Trust & Safety
*****

OE
Mole Wacker
 
AWS says they have dealt with it:

*****
Hello,

This is a follow up regarding the abusive content or activity report that you submitted to AWS. We have investigated this report, and have taken steps to mitigate the reported abusive content or activity.

We are committed to mediating reports of abusive content or activity to the satisfaction of both the reporters and our customers. If you believe the reported content or activity persists, or you are not satisfied with the resolution of this case, please reply directly to this message with more information. Your response should include the most recent activity logs or web location of the content that you have available that indicates that the activity or content persists, as well as a clear, succinct explanation of what you expect of us and our customer.

Thank you for bringing this matter to our attention.

Regards,

AWS Trust & Safety
*****

OE
Mole Wacker

It's already going to another malware site.
 
Unfortunately sites like these are just a redirector and they'll redirect to whatever malware or scam or ad spam depending on your location and ISP

Yeah that was my point, going to the earlier whack a mole comment.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top