Broadband users could have money stolen from bank accounts or their personal files and emails read by strangers through a dangerous new form of computer hacking, experts have warned.
An advanced version of "phishing" – the stealing of computer passwords by posing as a trustworthy person – has been identified that allows cyber-criminals to take over someone’s connection to the internet without their knowledge.
Known as "drive-by pharming", the technique might for example mean an internet user could be made to enter their passwords and codes on a fake bank website that appears identical to a legitimate one.
The threat could potentially affect the millions of people who use a router to connect their computer to the internet.
Drive-by pharming relies on the fact that the majority of users do not change the password needed to change their router’s setting from the manufacturers’ default setting – often simply the word "password".
Computer experts at the annual conference of the American Association for the Advancement of Science in San Francisco advised users to look up simple instructions to change their passwords and to only buy routers from trusted sources.
Zulfikar Ramzan, from internet security company Symantec, one of those who identified the new threat, said: "I believe this attack has serious widespread implications and could affect many millions of users worldwide.
"All you have to do to become a victim is simply visit a web page that hosts some malicious code.
"You don’t have to click OK on anything or accidentally download and install malicious software.
"The new type of threats we are seeing are particularly worrying because they are more silent and invisible, making it more difficult to convey to the public."
Markus Jakobsson, from the School of Informatics at the University of Indiana, who also worked on identifying the vulnerability, said: "I would advise people never to buy routers on eBay, or thumb drives [also known as dongles] or iPods, or anything you attach to your computer.
"You should buy it in a shrink-wrapped box from a place you consider to be safe."
When a computer is instructed to go to a website it contacts another computer called a Domain Name Server (DNS) which holds a database of website addresses.
Using the internet protocol (IP) address provided by the DNS server, it is then able to display the website the user wants.
To carry out the attack all someone has to do is persuade a computer user to visit a website they have set up, potentially via an advert on Google or a link from a spam email.
The website contains a piece of computer code that hacks into the user’s router - unless they have changed their password - and changes the DNS server settings.
This means for example that the attacker now can direct requests for the user’s bank website to fake websites he or she has set up – potentially websites that precisely mirror the bank’s real site.
It is not known whether the new form of attack has been used maliciously yet, but the experts who identified it said they had a duty to inform interest users of the risks before it became widespread.
Mr Ramzan added: "It's really just a matter of time before we start to see this. We decided that rather than react to it when it starts happening on a large-scale we should get the information out there and warn people.
"There’s a very simple fix for this problem, something people should have been doing all along, which is to change the default password.
"Had there not been a simple solution to it, I would have been much more hesitant about publicising this."
