A cybercrime vigilante known as Kafeine says criminals are hitting thousands of victims with a hacking tool that targets more than 40 router models.
The well-known hacker says the novel attacks use cross-site request forgery and exploits against new and old bugs to change router DNS settings.
This bypasses the need to target only routers with vulnerable remote services. Kafeine says the most popular routers can be targeted including Netgear, D-Link, and Asus to name a few.
The hacker says the attackers' have set up a dodgy DNS service that doesn't direct traffic faithfully. Instead, Kafeine says victims are pointed to phishing sites whenever, for example, they attempt to log into internet banking portals.
One such dodgy DNS server received up to a million unique hits on 9 May, he says.
"Knowing that CVE-2015-1187 has been released on 2 March I guess this attack is pretty effective since the percentage of routers updated in the past two months is probably really low," he says
That D-Link patch was released 4 March for some affected models. Other vulnerabilities the attack tool exploits have also been patched although it is unlikely given history that users have undergone the manual labour to apply the fixes.
Google's legitimate DNS is set as the router's secondary service to avoid alerting victims should the primary malicious server go down.