Router Administrator Login Spoof

[CatsnDogs]

Hello,

I recently had a pop-up appear while browsing that requested my login credentials to my browser (192.168.xxx).  The curious thing is that the pop-up was a carbon copy of my router's administrator login page, right down to the make and model number and color scheme.  Everything was the same, except for the site address, which belonged to "pix1.payswithservers", and was attached with "Main_Login.asp" at the end (I use an Asus router).

Googling this did not yield many results.

I ran multiple AVs including Malwarebytes, all of which came back negative.  My router firmware has been up to date.  DNS settings for my router were unchanged (automatic), and remote management via WAN was turned off.

I've encountered pop-ups before, all of which were more or less similar.  This pop-up however was different because of the aforementioned details.

Have malicious pop-ups been known to phish for login credentials to routers?  And so specifically at that.  I asked around and it seems router make / model information is available to the public, though these particular pop-ups don't seem to be typical (I have been unable to find anyone with a case similar to mine).

Any help would be much appreciated.

[David H. Lipman]

It's a Phish site. 

All you can do is make sure you changed the default Router password, disable management from the Internet POV and make sure the Router password is a Strong Password.

If you had the fully qualified URL, it can be submitted to be blocked by Malwarebytes' products.  This is done in;  Newest IP or URL Threats after reading  READ ME: Purpose of this forum

[CatsnDogs]

Thank you very much for the response.

I have the fully qualified URL, I'll try submitting it.

Thank you again.