Virus affecting my network? (Redirecting Amazon/Netflix to phishing sites on all devices)

[Cotroneo]

So, I'm pretty sure that my personal network has at some point been hijacked to redirect amazon.ca to a phishing site. It affects the ability to use the mobile app, and I can't seem to get rid of it. I've reset my router (had to rename all the wireless, as well create new password for TP-Link).

I've already run an in-depth scan with Norton, Malwarebytes, AdwCleaner, and Hitmanpro, and all of them turn up with nothing.

Any idea on how to find and fix this issue? It prevents the use of Netflix as well, since Netflix apps try to go through their site, but I'm assuming it gets hijacked, too.

 

[Cotroneo]

Just realized this might have been better to be posted in Troubleshooting. Sorry about that. 

[KeyboardCowboy]

19 minutes ago, Cotroneo said:

Just realized this might have been better to be posted in Troubleshooting. Sorry about that. 

Neat! you should post a screen shot of the redirect page. Could be a local DNS attack, or maybe somebody with a rogue access point trying to steal your credentials. Could be a virus on your local machine, or the site could have been compromised at the server.

[Cotroneo]

2 minutes ago, KeyboardCowboy said:

Neat! you should post a screen shot of the redirect page. Could be a local DNS attack, or maybe somebody with a rogue access point trying to steal your credentials. Could be a virus on your local machine, or the site could have been compromised at the server.

I only knew that it was a virus because I was on my iPad, and it redirected me to re-verify my credit card. It gets blocked when on Chrome, but I tried it on Safari thinking that it might have been an issue with Chrome. lol
Turns out Safari just has substantially worse security; anyway, it redirects to a classic phishing site where it asks you to login (which I fell for since I was on my iPad) and then after that, it asks for my social security number. 

It doesn't seem to be doing any harm other than constant interference in hopes of phishing, and if it's attempting to phish with such a convincing site, I'm more than positive its only goal is to steal information. 

I just have no idea on how to get rid of it, let alone identify the source.

I should note that it only occurs when connecting to my personal network; my business network, as well as a mobile hotspot 'fixes' this issue on every device (smart TV, iPad, Phone, Computer, etc). So I know it has something to do with my network itself.

I'd post a screenshot, but it's just now a blatant page asking for my social security whenever I try Amazon on my iPad. My computer blocks the site, because of Norton, though.



EDIT:
While typing this, I noticed on my iPad, under Network DNS, when set to automatic it acquires the DNS 5.2.64.158

When I set the DNS to manual, and delete that DNS the settings, it fixes the redirecting on the iPad. Is there any way to globally get rid of that DNS from automatically being set?

[Eniqmatic]

On your router, check what the DHCP options are for DNS

[Cotroneo]

1 minute ago, Eniqmatic said:

On your router, check what the DHCP options are for DNS

What should I be looking for? I'm in the TP Link thing. I also noticed that my router has that '5.2.64.158' DNS set to primary. I'm not sure how to change it, or if it'll even let me.

[Eniqmatic]

There will be an option to change it somewhere, so you've already identified that your router has its DNS servers set to the malicious ones, look for "DHCP Server" and look for DNS options within that. What model router do you have?

[Eniqmatic]

Also forgot to say, it seems like the DNS servers that your ISP is providing is compromised, unless you manually set those (doesn't sound like you did!)

[Cotroneo]

2 minutes ago, Eniqmatic said:

Also forgot to say, it seems like the DNS servers that your ISP is providing is compromised, unless you manually set those (doesn't sound like you did!)

I'm using a TP-Link Archer C3200. Whenever I try and change/save the primary and secondary DNS to something like 1.1.1.1 nothing happens, and that malicious DNS still remains as the primary. Do you think that it could have somehow infected my modem?

[Eniqmatic]

When you say it remains, where does it remain? On the device (iPad, Laptop etc) or do you mean on the router? Screenshots of the router would help if you can!

[Eniqmatic]

According to the manual, you go to "Advanced > Network > DHCP Server" and change the primary and secondary DNS there. You will need to do a lease renew on the end device for it to take effect. Disabling and re-enabling Wifi might be enough!

[Cotroneo]

1 minute ago, Eniqmatic said:

According to the manual, you go to "Advanced > Network > DHCP Server" and change the primary and secondary DNS there. You will need to do a lease renew on the end device for it to take effect. Disabling and re-enabling Wifi might be enough!

For a screenshot, what shouldn't I include? I'm not sure what network settings I shouldn't be publicly be posting. I'm definitely more of a hardware guy than I am a software and network guy. lol

Like should I be blurring out mac address, subnet mask, default gateway, etc?

[Cotroneo]

2 minutes ago, Cotroneo said:

For a screenshot, what shouldn't I include? I'm not sure what network settings I shouldn't be publicly be posting. I'm definitely more of a hardware guy than I am a software and network guy. lol

Like should I be blurring out mac address, subnet mask, default gateway, etc?

Nevermind, I just got it to change! Thanks for the help.

[Eniqmatic]

1 minute ago, Cotroneo said:

For a screenshot, what shouldn't I include? I'm not sure what network settings I shouldn't be publicly be posting. I'm definitely more of a hardware guy than I am a software and network guy. lol

Like should I be blurring out mac address, subnet mask, default gateway, etc?

I wouldn't really worry about blurring things out, only thing you might not want to include is your public IP address. The rest is useless to really to anyone else really.

 

Did you manage to do the above?

[Cotroneo]

2 minutes ago, Eniqmatic said:

I wouldn't really worry about blurring things out, only thing you might not want to include is your public IP address. The rest is useless to really to anyone else really.

 

Did you manage to do the above?

Yup, I got it to stay changed, and I've tested it on multiple devices as of now. I think what may have happened was it was a one time attack that just changed my primary DNS, which had subtle redirects. Basically a Trojan phishing hijack, if that makes sense. 

[Eniqmatic]

That's good you got it changed, its a pretty common attack method really!