Strikes lately discovered in Poland involved cybercriminals hacking into home routers to allow them to intercept user connections to online banking websites, and altering their DNS settings.

“The strike is possible due to a number of susceptibility in house routers which make DNS settings susceptible to unauthorized distant changes,” the Polish CERT researchers said Thursday in a blog post. “In the ensuing man-in the middle attack content of several e banking sites was changed to contain JavaScript injects that tricked users into giving up their usernames, passwords and suntans [trade authentication numbers]. Efficiently, cash is stolen from users’ bank accounts.”

In the recent strikes in Poland, a DNS server that reacted with rogue IP addresses for the domain names of five Polish banks was used by the hackers. Those IP addresses corresponded to a server that acted as a proxy, providing attackers using a guy-in the middle place change, inspect and to intercept traffic between users as well as the online banking sites they needed to target.

Due to this, they chose to use a advanced technique called SSL stripping.

Typically, users connect to the main web site of the bank over HTTP after which click on link or a button to get the login page for the safe component of the site where SSL is enabled.

It’s at this point that the secure connection was prevented by attackers from being created. An encrypted connection was created by their rogue proxy server together with the online banking website, but kept the link between the user and itself unencrypted.

The visual indicators for secure SSL connections are missing from the browser when this kind of attack is in progress. Nevertheless, since they clicked on a URL from the bank’s actual web site, it is difficult for the casualties to find so that they don’t have any reason to imagine an assault, said the head of incident response at CERT Polska, Przemyslaw Jaroszewski.

Polish IT security kit Niebezpiecznik.pl linked the attacks to a vulnerability reported last month in ZyNOS, a router firmware made by ZyXEL Communications that is seemingly also used in some router models from some other makers including TPLink, ZTE, Dlink and AirLive.

The vulnerability permits attackers to download a file including the settings of the router without authentication. The file may subsequently be unpacked and parsed to extract the password for the administrative interface of the router.

CERT Polska could not definitively link the DNS strikes and a special susceptibility, Jaroszewski said. He said, while the ZyNOS susceptibility resembles a solid candidate, a number of the strikes date back to late December, before the vulnerability was publicly revealed.

“There are lots of means to change DNS entries in house routers, a number of them understood for a long time,” Jaroszewski said. “It’s really surprising that it is the very first time we see it used for gain on a mass scale.”

Many vulnerabilities that let remote access to the management interface of house routers were discovered over time, including in versions provided by various ISPs to their clients.

Three vulnerabilities were discovered in a router called EE BrightBox that is supplied by British broadband supplier EE to customers as regular gear. One of these vulnerabilities could possibly allow attackers to alter the DNS settings of the router.

Jaroszewski considers that it is not unlikely DNS strikes like those in Poland is going to be utilized in other states later on against online banking users. Yet, for now he wasn’t unaware of any reports of similar assaults outside Poland.