Related topics

Broadband routers welcome drive-by hackers

JavaScript-enabled DNS chicanery

hands waving dollar bills in the air

Still using the default password that came with that nice broadband router you installed at home? Time to get off your butt and change it: visiting the wrong website is enough to have key settings changed on the most popular models.

Symantec warns attackers can employ a simple piece of JavaScript to modify a router's domain name server settings. Once the router is rebooted, a rogue DNS will send the victim to spoofed websites with malicious intent.

That could unleash all kinds of new phishing expeditions, Symantec says. For example, the new DNS could route a request for bankofamerica.com or Microsoft's update site to fraudulent sites that steal login details or install back doors.

A proof of concept works with popular models made by Linksys, D-Link and Netgear, but only if they use the default password. Hence, the attack can be thwarted by setting a new password that's not easy to guess.

As with many of the recently discovered browser-related vulnerabilities, attacks also require JavaScript to be enabled. Running a program such as the NoScript extension to Firefox is also a safeguard in these cases. ®

Sponsored: 5 critical considerations for enterprise cloud backup