As you read these words, malicious ads on legitimate websites are targeting visitors with malware. But that malware doesn’t infect their computers, researchers said. Instead, it causes unsecured routers to connect to fraudulent domains.
Using a technique known as steganography, the ads hide malicious code in image data. The hidden code then redirects targets to webpages hosting DNSChanger, an exploit kit that infects routers running unpatched firmware or are secured with weak administrative passwords. Once a router is compromised, DNSChanger configures it to use an attacker-controlled domain name system server. This causes most computers on the network to visit fraudulent servers, rather than the servers corresponding to their official domain.
Patrick Wheeler, director of threat intelligence for security firm Proofpoint, told Ars: