We have had a small number of reports from customers who have had the DNS settings on their routers altered. The IPs we are seeing set are 220.127.116.11 and 18.104.22.168 (there may be others)
This type of attack is called Pharming. In short, it means that any internet traffic could be redirected to servers controlled by the attacker.There is more information about pharming on the following pages: https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf http://www.team-cymru.com/ReadingRoom/Whitepapers/SOHOPharming.html
At the moment we are logging when customers try to accesses these IP addresses and we are then contacting the customers to make them aware.
To solve the problem we are suggesting that customers replace the router or speak to their local IT support.
Changing the DNS settings back to auto, changing the administrator password and disabling WAN side access to the router may also prevent this from happening again.
Also reported here: http://www.pcworld.com/article/2104380/
We have contacted the few affected customers.