Skip to content ↓ | Skip to navigation ↓

If you’ve recently found your web browsing plagued by pornographic pop-ups and irritating adverts, there might be a simple – but dangerous – explanation.

Maybe hackers have hijacked your internet router?

Security researchers at Ara Labs have warned of an active campaign which has seen attackers changing DNS settings on routers, causing unauthorised ads and adult content to appear on virtually all websites affected users visit, generating income for the attackers.

DNS records work like a telephone book, converting human-readable website names like tripwire.com or google.com into a sequence of numbers understandable by the internet. A problem occurs, however, if someone manages to change the lookup – so when your browser tries to reach google.com it is really taken to a different website entirely.

One way to do this is for an attack to break into your internet router (perhaps because you are using the default security settings, or have an easy-to-crack password, or because you have not kept it patched against security vulnerabilities) and meddle with its DNS settings.

An Ara Labs blog post explains the threat in more detail:

When one of these router DNS hijacks are successful, the DNS settings on the router are changed to point to a rogue DNS server controlled by the attackers. By default, most common operating systems (Windows, OS X, iOS, Android, Ubuntu) are configured to automatically retrieve their DNS settings from the router when they connect to a network (via DHCP). This means that when a device connects to a compromised router’s network it will be automatically configured to use the same rogue DNS settings as router.

If an attacker controls the DNS server that you are using to lookup an IP they can substitute the correct IP for the IP of a server that is under their control. Then you might connect to this IP thinking that you are connecting to a certain domain when in fact you are connecting to a server controlled by the attacker.

It’s easy to imagine such a technique being deployed to dupe users into believing that they are visiting online genuine banking websites, but Ara Labs is reporting that this latest attack is exploiting the fact that so many websites on the internet run a Google Analytics script to measure and track visitor traffic.

The rogue DNS server responds to requests to access google-analytics.com with a bogus IP address, tricking browsers into running code which is under the attackers’ control.

Rogue DNS server sending incorrect results for domain lookup

In other words, you can visit an entirely legitimate and innocent website only to find that it is now peppered with additional adverts, helping the hackers earn income through affiliate schemes. In addition, the adverts displayed might be for content which the site would not normally think appropriate – such as adult webcam sites and pornographic content.

Injected advert on Huffington Post

None of that is the website owners’ fault, but chances are that you would think that they were responsible – and not realise that your router has been hijacked.

A video produced by Ara Labs demonstrated the malware injecting adverts onto popular websites such as the Huffington Post and the New York Times.

The injected code could, of course, just as easily contain a malicious exploit kit designed to infect visiting computers with malware by taking advantage of, say, an Adobe Flash vulnerability.

The fact of the matter is that the hackers now have control, and are able to do what they want with the code they can run on virtually all of the websites you are likely to visit.

Your best defence? Make sure that you have kept your router’s firmware properly patched with the latest updates, and never stick with the default login credentials provided when you first purchased the device.

Hacking Point of Sale
  • valdikss

    This guy who did this is from Russia. Last week he attacked only Russian routers and hijack DNS records to google-analytics and yandex.metrika (popular Russian analytics). We found him and shut down his servers, and even had a talk with him. He swore he won't do this again.
    http://tjournal.ru/paper/antisanctions-safari-yanhttps://gist.github.com/ValdikSS/2706f643bbfa0bb5

  • Vito

    Terrific…more mischief thanks to Google (this time, via Google Analytics). When I first installed the NoScript plugin for my browser, I was surprised…alarmed, actually, to find how many sites use Google Analytics. Ditto for googleapis.com.

    Unfortunately, blocking their scripts disables the functionality of some websites. So, while running NoScript (or some other blocker) might protect you against the kind of threat reported here, if you even temporarily and selectively allow such scripts to run so you can get a given website to work, there goes the ball game if your router has already been hijacked.

    Thanks for the article, Graham. I think you've given the best advice you can under the circumstances, but the hard reality is that WWW connectivity is an increasingly perilous venture for users who aren't actively engaged in the ONGOING process of increasing their awareness of security and privacy.

    • jbl in AZ

      Graham and Vito both: Well said. Vito's comments on the original advice are quite valid.

  • Profacts

    Nice work.

  • Mary Willson

    The post is helpful. People might solve pop ads problem effectively
    according to the information. But there are exceptions. Malware can
    cause ads and computer security issues. Only removing malware ans
    vicious hidden files can remove ads completely. Take the notorious DNS
    Unlokcer for
    example

  • Senthil Kumar Bnegative

    seriousle i have the same prob. my ip and dns are changing repeatedly. i tried multiple ways. none worked. resetted the router. it happening again. any solution?

  • Saabir Mohamed

    this exact thing happened to me …I resolved it last night for a short while by logging onto my router … only to find the the DNS being given to my clients were some unknown address 302…. something
    I checked online for for my isp’s actual address and manually configured it back…and the problem disappeared … the funny thing is i did not leave my routers login at defaults but use my complicated password there…how did it get reconfigured….also I changed the admin password again…after I fixed the issue last night.
    anyways the router went back to the same problem in about a day…but this time I could not even get back in…with my new password.

    now I reset it again…factory reset…configured a strong password AGAIN for both router and wifi…problem again has gone…not sure if this will resolve the matter FOR GOOD.

    I’m sure there is a backdoor or exploit on these router builds … because precautions don’t seem to work…

    one more thing to note is the default subnet my router should give is 10.x.x.x but
    my router during the issue goes to 192.x.x.x. WFT. quite a busy hack..takes the time to reconfigure the subjects given to dhcp clients???

    the primary thing it seems to do when infected , is every single web site you visit opens just for a second or 2 and then redirects to a site …. In fact I came across this post by typing that into google…
    that site then makes multiple requests to other urls…finally displaying sites with either scams for some sort of phishing tech.

    I am currently in South Africa and it seems telkom ( huge ISP here) have become easy targets.

    something has to be done.

    I hope there’s something permanent I can do…if someone can ping me

  • WaywardWerewolf

    Would a clean install of the OS and router reset solve this problem? I really hope it will because I’m planning to do that.

    Edge browser is giving me redirections nearly every time I open a new page, to pages like xttaff.com, or offer.alibaba, or offerjuice.me—extremely annoying!
    Also, I’ve been noticing some suspicious files without extension in my Download folder, they’ve been downloaded without my consent, e.g. ha], x!bx, d, 5#, 1, GA, MGA, !, and G@—all of these files appears to be without extensions.