Q&A Malware on Public WiFi Hotspot

marhendray

Level 1
Thread author
Nov 20, 2021
22
Hello MalwareTips member. Yesterday, a couple of my friend tried to sign in to University public WiFi/Hotspot as usual, but suspiciously, every successful login to the WiFi, the WiFi always redirected them to a suspicious website to download a picture. Fortunately, it was blocked by their Antivirus. I also tried to access it (making sure that it wasn't false alarm) on my separate smartphone and it's blocked as well.

Is this an infection on the router or the landing page (login website)? and I am little confused how a picture (jpg) file could transmit malicious file.

Thank you MalwareTips!

12.png
Smartphone.jpg
 
Last edited by a moderator:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,952
Links edited because those are active malicious and no need to risk infect viewers that think it might be a " great " idea test their browsers or AV, without using a correct protected environment.

Is this an infection on the router or the landing page (login website)? and I am little confused how a picture (jpg) file could transmit malicious file.
It's the webpage that has the malicious file, and not on the router. A .jpg file or also other image files can be coded to drop as in this case other malicious files.

If this is a constant occurring issue, best advice would be to immediately contact the IT staff at the University. They can or should be able to fix it.
 

marhendray

Level 1
Thread author
Nov 20, 2021
22
Links edited because those are active malicious and no need to risk infect viewers that think it might be a " great " idea test their browsers or AV, without using a correct protected environment.


It's the webpage that has the malicious file, and not on the router. A .jpg file or also other image files can be coded to drop as in this case other malicious files.

If this is a constant occurring issue, best advice would be to immediately contact the IT staff at the University. They can or should be able to fix it.
Thanks! I will definitely contact them now. Should I remove the link (image) or leave it as a spoiler?. I have a bad feeling that info-stealer incident happened again like on the last 2 months.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,952
Thanks! I will definitely contact them now. Should I remove the link (image) or leave it as a spoiler?. I have a bad feeling that info-stealer incident happened again like on the last 2 months.
No need to do anything with the images in this thread as I already fixed them.

A small tip/hint while you and your friends waits for the help from the IT staff, try use a VPN. Those along with a AV is a very good security layer as for example malicious re-directions gets much harder for an attacker. VPNs used when connecting to public Wifi/hotspots are in general recommended.
 

marhendray

Level 1
Thread author
Nov 20, 2021
22
No need to do anything with the images in this thread as I already fixed them.

A small tip/hint while you and your friends waits for the help from the IT staff, try use a VPN. Those along with a AV is a very good security layer as for example malicious re-directions gets much harder for an attacker. VPNs used when connecting to public Wifi/hotspots are in general recommended.
Thanks! I think the IT team are working on the problem now
 

marhendray

Level 1
Thread author
Nov 20, 2021
22
Thank you everyone for your response. There are three points I noted from them and under their permission of course.

1. The incident was caused by outdated or malicious web plugin(s) used on login page . This part is too technical, I have no idea what they said. I heard "injeksi kode jarak-jauh" remote code injection (?).
2. A serious security measures by purchasing Fortinet or Trend Micro.
3. The time of the attack was interesting (1 day before The National Holiday).

Dear @upnorth and @ScandinavianFish and MalwareTips member, thank you for your help.
 

bjm_

Level 13
Verified
Top poster
Well-known
May 17, 2015
605
adding related info from opening post
Web Attack: Suspicious Executable Image Download
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=22819
 
  • Like
Reactions: marhendray