Yes, your router's primary DNS entry was pointed to a rogue server to redirect you to phishing sites. The router possibly got compromised through an unpatched vulnerability in its firmware.
I have an Asus AC87U, FW Version 3.0.0.4.380.7743 (1 release behind).
Your release is over half a year old. The latest release 3.0.0.4.382.50010 (2018-01-25) comes with lots of security fixes, including RCE vulnerabilities which may have been exploited here.
Security fixed
- Fixed KRACK vulnerability
- Fixed CVE-2017-14491: DNS - 2 byte heap based overflow
- Fixed CVE-2017-14492: DHCP - heap based overflow
- Fixed CVE-2017-14493: DHCP - stack based overflow
- Fixed CVE-2017-14494: DHCP - info leak
- Fixed CVE-2017-14495: DNS - OOM DoS
- Fixed CVE-2017-14496: DNS - DoS Integer underflow -Fixed CVE-2017-13704 : Bug collision
- Fixed predictable session tokens(CVE-2017-15654), logged user IP validation(CVE-2017-15653), Logged-in information disclosure (special thanks for Blazej Adamczyk contribution)
- Fixed web GUI authorization vulnerabilities.
- Fixed AiCloud XSS vulnerabilities
- Fixed XSS vulnerability. Thanks for Joaquim's contribution.
- Fixed LAN RCE vulnerability. An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
- Fixed remote code execution vulnerability. Thanks to David Maciejak of Fortinet's FortiGuard Labs
- Fixed Smart Sync Stored XSS vulnerabilities. Thanks fo Guy Arazi's contribution. -Fixed CVE-2018-5721 Stack-based buffer overflow.
Although Asus doesn't publish bug details, attackers might have independently discovered some of the critical vulnerabilities patched in that release. Diffing firmware releases to reverse-engineer what parts were patched is usually quite straightforward, even without access to the original source.
Also, this looks like it's part of a more wide-spread recent attack. This tweet from three days ago seems to describe a very similar incident to what you experienced:
My ASUS home router was apparently hacked and a rogue DNS server in Dubai added to the configuration. It redirected sites like http://apple.com to a phishing site that (I think) I caught before my children gave away their credentials. Check your routers kids.
(@harlanbarnes on Twitter, 2018-03-09)
[...] my browser warned me (Google Chrome) saying this website was not secure. [...] I began to suspect maybe my Mac machine had been infected [...]
The fact that you got certificate warnings makes it less likely that an attacker managed to get into your machine. Otherwise, they could have messed with your local certificate store or browser internals and wouldn't need to conduct a blatant DNS spoof.
No one has access to my router administration page aside from me on the network
Even if your router interface isn't visible from outside your network, it can be vulnerable to a range of attacks. As an example, take this Netgear router arbitrary code execution exploit from a while ago which had Netgear routers execute arbitrary commands sent as part of the URL.
The idea here is to trick you into visiting a prepared website that makes you conduct the attack yourself by issuing a specially crafted cross-origin request to the router interface. This can happen without you noticing and wouldn't require your interface to be remote accessible.
Ultimately, the given information doesn't reveal the exact attack path. But it's plausible that they leveraged vulnerabilities in your outdated firmware release. As an end user you should at least update your firmware as soon as possible, do factory resets if necessary, and keep your router interface password-protected even if it's only accessible from the intranet.