These D-Link Routers Are Under Attack: What to Do

Heads up: If you've got an old D-Link DSL modem/router, you'd better make sure its firmware is fully updated.

Credit: D-Link/Amazon

(Image credit: D-Link/Amazon)

That's because a cybercrime group is targeting four D-Link models, as well as several routers from other brands, and hijacking the routers' settings to send users to malicious websites. The attackers are using old known vulnerabilities for which fixes were issued years ago.

Unfortunately, checking the version of a router's firmware and then updating the firmware is not that easy for most people. We'll walk you through the steps below, but we also strongly urge anyone with a router that's more than five years old to consider upgrading to a newer model.

MORE: Best Wi-Fi Routers

The four D-Link models targeted are the following, according to the security firm Bad Packets, which issued a report on the crime campaign yesterday (April 4):

D-Link DSL-2640B (first sold in 2007)
D-Link DSL-2740R (EU model, first sold in 2010)
D-Link DSL-2780B (UK model, first sold in 2011)
D-Link DSL-526B (Australia/New Zealand and EU, first sold in 2010)

These are all combo DSL modem/routers, so if your DSL modem and router are different devices, or you use cable broadband instead of DSL, this warning doesn't apply.

None of these listed models are still in production, but odds are they're still being used by someone, and many of those someones have never updated the firmware, or even changed the administrative passwords. (We've actually written about security problems with one of the D-Link routers before, and D-Link even cited our report in an advisory.)

Four other brands are on the hit list: ARGTek (China), DSLink (apparently Brazil), Secutech (Venezuela) and TOTOLINK (China). None seem to have much presence in North America or Europe, although Amazon does sell some TOTOLINK models.

How to (maybe) safeguard your D-Link router

Anyhow, if you do have a D-Link model on the list above, dig around to see if you still have the instruction manual and consult that to see how to check the settings.

If not, open up a web browser on a computer connected to the router's Wi-Fi network and browse to http://192.168.0.1. If you've never changed the admin settings, then log in to the router using the username "admin". Leave the password field blank. (These are terrible administrative credentials, and you should change them as soon as you can.)

MORE: How to Update Your Router's Firmware

Look for two things: the router's firmware version, and the router's DNS settings. We can't give you generic instructions for every D-Link model here, since we don't have these models. But check tabs or pages marked "Advanced," "Tools" or "Status." Write down what you find.

If your DNS settings are any of the following, there's a good chance that your router has been infected:

66.70.173.48
144.217.191.145
195.128.126.165
195.128.124.131

You can evade the crooks temporarily by changing the DNS settings to use Google's DNS servers at 8.8.8.8 or 8.8.4.4. But you'll want to update the firmware too, and after that do a factory-reset.

Go to D-Link's not terribly user-friendly download page at https://tsd.dlink.com.tw/, select your model prefix and number from the drop-down menus, and hit the Go button. See if there is firmware that is newer than what your model has, and click on it. (If not, time for a new router, which will be a lot easier to update.) Download the firmware package to you PC and pray that there are instructions included. (There may not be.)

That's the best we can offer you right now for how to keep these older models secure. Once again, if you're still using one of these older models, you should really think about getting a new router.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.