Signs Your Router Has Been Hacked and What to Do Next

Hackers Took Over My Router and I Had NO Clue.

Graphic artist was a victim of DNSChanger virus. Are you safe?

We’re all aware that hackers can do something to our computers through a network virus. But did you know they can attack your router—the key to directing all your Internet activity? More than that, they can do it in a such a sneaky way that you have no clue it’s happened.

That’s what happened to Steve, an accomplished website designer and graphic artist, who gave his exclusive story to WhatIsMyIPaddres.com recently (June 2017).

Steve is a successful, independent graphic designer in Southern California, and he has always seen himself as being fairly computer savvy. “I make my living on my computer and I interact with my clients almost exclusively over the Internet. I count on being able to have a safe and fast Internet connection around the clock.”

And until recently, he’d never had any reason to think anything could be wrong.

Like most computer users—and most likely like you—Steve fired up the computer every day, surfed the Internet, and did his work without a worry.

So, when he received an email from his ISP (Internet Service Provider) to tell him his router or computer might be compromised by a virus called DNSChanger, his blood ran cold. Was this true, or was this just a hacker’s trick to get him to click on an infected website? After all, he was on a Mac, and Mac’s usually aren’t susceptible to viruses like PCs are, he thought.

There was no reason to think anything was wrong, so he was skeptical at first.

“I wanted to be sure.”

“I’ve read a lot of articles on WhatIsMyIPaddress.com about hackers and online hoaxes. I take a close look at any message before I just click,” Steve explains. “I’m also very cautious about hackers and viruses, and I’m careful about what websites I visit and try to keep my anti-virus programs up to date.”

To his point, hackers often use scare tactics to get computer users to click on ads and links. Usually, they use pop-up ads that say “your computer has been infected” or similar messages.

But this time it was different. This alert came to his email address and by all appearances, it seemed to be from his Internet Service Provider (ISP).

So, this time around, Steve paid attention.

The bad news. His router had indeed been infected!

As it turns out, the email was 100% legitimate—his ISP had indeed detected network activity that indicated his router might have been infected with a well-known virus known as DNS changer. Steve knew he couldn’t dismiss this seemingly legitimately warning without taking a closer look. As it turns out, he’s glad he did.

“Hey guys…is this real?”

Fortunately, one of Steve’s clients runs the website, WhatIsMyIPaddress.com, so that’s who Steve reached out to first.

“I forwarded him the email I received from my ISP and asked his opinion. I’m glad I did, because, with his help, I found out that my router had been compromised. Hackers had changed my router’s settings and I had absolutely NO clue! I came to learn that they had hacked into my router using a virus called DNSChanger. I’d never heard of it”.

What happened to his router?

Imagine calling your best friend on your cellphone, but reaching another telephone number instead, maybe one that rings up charges. The DNSChanger can do a similar thing when you search for a website from your browser.

Steve had absolutely NO idea that every time he requested to visit a website through his browser, his request wasn’t going through “normal” channels, as it had before. The DNS settings his ISP had chosen for him and been changed. The hackers were now in control.

“You hear all the time that we need to avoid websites that might infect our computer with a virus or launch serious malware. The DNSChanger virus was set up to direct unsuspecting users to those dangerous sites!

He didn’t know it and for a while neither did his ISP.

What damage can DNSChanger do?

Steve realizes the potential danger his hacked router put him in. “It’s frightening to think what could happen if I interacted on an infected website or some bogus, mirrored site to extract personal details, usernames, passwords, etc.. I just hope that I didn’t get tricked into going to those sites. And the scary thing is that I would never know.”

Is your router compromised? You need to find out!

Like Steve, you may be using a computer with a compromised router and not be aware. So, how do you go about finding out?

You’ll need to do some research into your router’s settings as well as find out if there have been any reported hacks to your specific router model.

Is Your Router Under Attack? Here’s What You Need to Know.

Usually hackers are just content to mess up our lives by infiltrating a network and disrupting business. Typically, they find their way into our networks or computers to do their trickery.

Recently they’ve decided to change things up by taking over a home or business’s router, the veritable heart of any home’s our business’s wired or wireless network. They’re having success at hacking routers because they happen to know which models of select router brands have vulnerabilities that can be exploited.

And hackers are not shy about exploiting those weak spots. So, it’s very important for you to be aware of the latest developments so you might be able to avoid the danger.

Who thinks about their router? Not many of us.

In short, you should learn about your router’s security features and investigate whether your router’s firmware (internal software) needs a security update. You should also find out what the password is for updating and managing your router. Yes…there is one, and few people know about it.

This is what hackers are counting on.

This unusual hacker attack has a few twists and turns, so you may want to visit our Learning Center to fill in any knowledge gaps you might come across, which features easy-to-read articles on routers, DNS, and several other terms touched upon in this article.

Alluring ads to lure you in.

The goal of this hack is for hackers to steal valuable ad traffic from large web ad agencies with names like Propellerads, Pop cash and Taboola, and redirect it instead to sites called Fogzy and TrafficBroker.

It’s large scale ad theft. Online advertisers who pay for services to post an ad get swindled when hackers step in and steal their traffic.

And to pull off the online heist, hackers are using you and your router. Without you being aware of it.

DNS Changer attack.

This manipulation is being called a DNS Changer attack vector. (DNS stands for Domain Name System, a networking/Internet process that takes you to websites you want to visit.) The hackers place a small but disruptive piece of malicious software inside your router.

It happens in two primary stages, both involving you clicking on images or ads:

You visit a webpage, perhaps one that you visit often and never worry about. On that page one day there may be a new ad that you choose to click on.What you don’t know is that ad was placed, legitimately, by a hacker group; the ad has a malicious code embedded in it that may wind up in your router if you click on it. Once the malware is secretly “installed,” all devices connected to the router are redirected to less legitimate ad agencies—connections generally not secured and might let viruses slip through.You should not have seen either the website or the ads but because somewhere along the way, a hacker rerouted your request, you got pulled into the old “switcheroo.”
So, the next time you key-in a web destination on your Internet browser, instead of going there, you will be redirected to a totally different webpage. On the false webpage—the one the hacker directed you to—there are even more ads that may contain the hacker’s second-level payload…the more-dangerous router malware.

First stage. Targeting you by IP address.

The ads/images in the first stage of the DNSChanger exploit are there to look at IP addresses, casting a net to see if it fits into the group of potential router targets. Security experts say that the first round of malicious ads are hosted in waves for a few days at a time, on legitimate ad networks, and displayed on ordinary, and otherwise safe websites.

If this first phase identifies a target router, the attack continues. The router is redirected to a webpage and this time, when a certain image is clicked on by the unsuspecting user, malware is unleashed into the router to exploit weak security. And if you and your router fit a specific profile, you’re in danger.

Second stage. Targeting you by router type, profile.

The malware that’s on the deceptive websites hoping for one of two situations:

That you’re using one of many routers which have “out-of-date” firmware.
Your router has easy-to-break security due to either weak or, even worse, default administrative password—meaning you kept the password your router came with and never bothered to update it. To seasoned hackers, that’s along the lines of using the word “password” as a password.

According to security information websites, hackers and attackers are zeroing in on 165 router models that are vulnerable routers—vulnerable because the manufacturer has not updated the routers’ internal “firmware” or made it more secure. Hackers keep up to date on this type of news and share it with other hackers.

Somewhere online there’s likely a comprehensive list of all the makes and models; most sites will say that D-Link DSL-2740R, Netgear WNDR3400v3 (plus related models), and Netgear R6200 can all be susceptible to attack. (Apple’s routers, so far, haven’t been exploited with the DNSChanger attack).

With all that’s going on today, DNS Changer and beyond, maybe this is a good time to research your router and find out if it’s vulnerable…before the hackers do