Two Devices in London Commandeer 300,000 Victims’ Routers

The small and home office routers, owned by unwitting consumers mostly in Eastern Europe and Asia, have succumbed to a hack that can – but has yet to – send users to data-stealing sites.

Researchers at security firm Team Cymru discovered the router infestation “that has effectively hijacked the Internet for more than a quarter of a million computers,” the Verge reports. “The exploit works by redirecting computers to different DNS servers, allowing the network to misdirect web traffic from its victims.”

There is no evidence of switcheroo campaigns yet, but the team is still investigating. This all seems to be coordinated by two IP addresses located in London, both registered to a hosting company called 3NT Solutions.

A study by the team warns each compromise has the potential to redirect end users to sites that attempt to steal banking passwords or push booby-trapped software, according to Ars Technica.

Your router has been compromised if the DNS settings have been changed to 5.45.75.11 and 5.45.76.36, the pair of IP addresses responsible for the exploitation.

The network of zombie routers can’t be called a “botnet” – the term for a mass of computers exploited to communicate with a remote malicious server -- because the compromise is limited to routers rather than the victims’ computers.

But this breach could penetrate deeper than a typical botnet.  “Without precautions, attackers can use the router to direct a given URL (in this case, mbank.pl) to whichever server they want, carrying out more sophisticated attacks from there,” according to the Verge.

The vulnerability in the routers that let in the hackers is two years old. Most devices in the U.S. and Western Europe have already been inoculated against it.

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves.