Cybercriminals Hijack Internet Connections by Changing DNS Settings in Routers

Geographical distribution of impacted routers

Security holes in various home and small office routers are allowing cybercriminals to change the devices’ DNS settings in an effort to redirect users to arbitrary IP addresses and domains. Experts have identified 300,000 compromised wireless routers.

According to Team Cymru researchers, most of the impacted devices are located in Europe and Asia. Most of the victims have been spotted in Vietnam, but compromised machines have also been identified in India, Italy and Thailand.

The campaign is said to have started in mid-December 2013 or possibly earlier.

Interestingly, the attackers are exploiting several vulnerabilities to hijack a wide range of routers, including ones made by TP-Link, Micronet, D-Link and Tenda.

The exploits leveraged by the cybercriminals include a recently-disclosed authentication bypass in ZyXEL firmware, and cross-site request forgery (CSRF) issues, such as the one found by security researcher Jakob Lell back in October 2013.

Experts say small office and home (SOHO) routers are an attractive target to cybercriminals because they’re easy to compromise. Furthermore, taking control of routers enables them to make considerable profit without too much effort.

Once they hijack the devices, the attackers can direct users to malware or phishing sites, replace advertisements, and even redirect search results.

So how can you tell if your device has been compromised? The DNS settings are altered to send request to these IP addresses: and If your router is configured with these DNS servers, you are impacted by this attack.

The problem with these DNS poisoning attacks is that – similar to the case of the notorious DNSChanger malware – once the malicious servers are taken down, victims are no longer able to access the Web until they restore DNS settings. This makes mitigation a bit more problematic.

A couple of similar attacks were spotted in the past period. One of them involves the Moon worm which targets Linksys routers. In another campaign, analyzed by CERT Poland, cybercriminals hijacked the DNS settings of routers to lure unsuspecting Internet users to fake bank websites in an effort to steal their data.

However, Team Cymru says the attacks don’t appear to be connected. The security firm has reached out to impacted vendors to let them know about the malicious campaign.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s