Netgear router AC1200C6220 - Popup ad after login

---

@BrianPHan wrote:

 

After logging into router, got a popup ad of the same form as the notification that i was logged onto the router. 

What does the "Ad" say?

---

@BrianPHan wrote:
I tried to update the firmware, but I don't see anything for firmware update. I did a factory reset. 

 

---

You cannot update firmware on a cable modem. That is in the hands of your ISP.

By the way, your message says C6220 but the footer says D6200v2. If it really is the C6220 you have posted your message in the section of this community given over to DSL Modems.

Your device is a Cable Modem/Router

You might get better replies, and find other answers, over in the appropriate section:

Cable Modems & Routers

I tried to enter this over where you linked to, but the model AC1200 C6220 doesn't exist in the dropdown list. So I'll continue here. This isn't a cable modem, it's a regular router that connects to the cable modem that Comcast provides.  The popups are too fleeting to read or capture with a screen grag. Today, I saw another flashing popup after the login popup saying I was connected. In the same place as that one, as if it was reusing the same window. 

And just now, I got an email demand for bitcoin. Here's the message: 

>Btw, I kno‌w the‌ to‌o‌ di‌rty se‌cre‌ts o‌f yo‌u‌r li‌fe‌. I wi‌ll no‌t e‌xpla‌i‌n yo‌u‌ ju‌st wha‌t e‌xa‌ctly I kno‌w, I've‌ go‌t a‌ll the‌ de‌ta‌i‌ls a‌lo‌ng wi‌th me‌. To‌ sho‌w my po‌i‌nt, a‌llo‌w me‌ i‌nfo‌rm yo‌u‌ tha‌t o‌ne‌ o‌f yo‌u‌r se‌cu‌ri‌ty pa‌sswo‌rds i‌s de‌fi‌ni‌te‌ly beelzebub27. Se‌nd me‌ $2000 vi‌a‌ Bi‌tco‌i‌n to‌ the‌ a‌ddre‌ss 1Dwvfxun7CtH2SfN3H7mqHrWU1DJ3noiy5 i‌n the‌ ne‌xt 43 hrs. I wi‌ll ma‌ke‌ o‌ne‌ thi‌ng ve‌ry cle‌a‌r, tha‌t I wi‌ll me‌ss u‌p yo‌u‌r li‌fe‌ co‌mple‌te‌ly i‌f I do‌n't ge‌t the‌ pa‌yme‌nt. As lo‌ng a‌s I ge‌t the‌ pa‌yme‌nt, I wi‌ll de‌le‌te‌ e‌ve‌ry si‌ngle‌ i‌nfo‌rma‌ti‌o‌n I've‌ wi‌th me‌, a‌nd I wi‌ll di‌sa‌ppe‌a‌r a‌lto‌ge‌the‌r a‌nd yo‌u‌ wi‌ll do‌ no‌t he‌a‌r a‌nythi‌ng fro‌m myse‌lf. Thi‌s i‌s the‌ fi‌rst a‌nd a‌lso‌ la‌st e‌ ma‌i‌l fro‌m me‌ a‌nd a‌lso‌ the‌ o‌ffe‌r i‌s no‌n ne‌go‌ti‌a‌ble‌s, thu‌s do‌ no‌t re‌spo‌nd to‌ thi‌s e‌ma‌i‌l. < (I replied to it anyway. Who knows?) 

Thing is, I created that password yesterday to log in as admin when I reset the device. And that  is a one-time, one-use password.  So they got it from my router yesterday - AFTER - I did a factory reset of the device! 

That suggests that the popups were part of the plan, so that they could get my password somehow. And yes, I did the login and reset using an ethernet cable. It took about 24 hours for this email to be sent. That suggests either a minimal attempt to hide the connection or else that it's on the other side of the world. 

So, I've changed the password again. If this is automated, it should happen again. 

PS - I just looked through my browser settings, wondering what might be there. In Opera, I found a desktop notification I didn't expect from "Sputnik News". The only ones I give permission to are google drive and a couple of webinar sites. I blocked Sputnik. I have read a few articles there recently. Did I click on any links? Might have.  

Sputnik used to be Voice of Russia, run by the government according to Wikipedia. But this is obviously an amateur hack job if it's even related to Sputnik. I can't see the GRU doing something that would actually alert someone they had an admin password on a router. Sigh. Who knows? 

Sounds like your PC may be infected with a keylogger that is tracking what you do on the PC is is sending it on to the sender of the threatening email you received. Hopefully you have a way to scan your PC for a virus/malware.