Threat intelligence group Team Cymru has discovered a widespread compromise of consumer-grade small office/home office (SOHO) routers.
This means attackers could redirect victims to anywhere they wanted, inject their own adverts into web pages or poison search results.
According to Team Cymru, this is one of the fastest growing alternative attack methods that cyber criminals are turning to as it becomes more difficult to compromise computers directly.
The group's whitepaper says the attack exploits more than 300,000 routers from TP-Link, D-Link, Micronet, Tenda and others mainly in Europe and Asia.
Although infections were global, the highest concentrations were found in Vietnam, Italy, Thailand, Indonesia, Colombia, Turkey, Ukraine, Bosnia and Herzegovina, and Serbia.
More on router security
- EE routers vulnerable to ‘incredibly easy’ hack
- D-Link begins fixing router backdoor
- Is BT ‘embedding secret spy equipment’ in routers?
- Analyzing the risks of the D-Link router backdoor
- Identifying and preventing router, switch and firewall vulnerabilities
- Cisco APIC controller extended to campus and WAN switches and routers
- Huawei router security: Is there legitimate cause for concern?
- Five key issues admins face when configuring Cisco routers and switches
- Juniper LN2600: Rugged router for harsh environments, M2M applications
- Prioritizing the need to update Cisco routers: Is it urgent?
Researchers said consumer unfamiliarity with configuring these devices, frequently insecure default settings, backdoors in firmware and commodity-level engineering standards make SOHO routers an attractive target for cyber criminals.
It is not yet clear what the attackers intended to do with the collection of compromised routers.
Team Cymru researcher Steve Santorelli said the reason for creating the network of hijacked routers was still "mysterious" as the attackers did not seem to have abused their control for malicious ends.
However, the attack had some similarities with an incident seen in Poland, which involved hijacked home routers being redirected to malicious websites designed to steal bank login credentials.
"It's a definite evolution in technology - going after the internet gateway, not the end machine," Santorelli told the BBC.
Team Cymru said it has contacted law enforcement about the attack and informed ISPs with a lot of compromised customers.
The mitigation advice in the whitepaper is to check devices' DNS settings, restrict or disable remote admin, and if possible, to block access to the attackers' DNS addresses.