The attackers went even further and rewrote the URLs seen by users in their browser's address bar to have "ssl-." in front of the domain name.
While none of the individual techniques used in the attacks were new, Jaroszewski said that as far as he knows this is the first time when attackers used them together in a mass attack targeting online banking users.
Polish IT security outfit Niebezpiecznik.pl linked the attacks to a vulnerability reported last month in ZyNOS, a router firmware created by ZyXEL Communications that's apparently also used in some router models from other manufacturers including TP-Link, ZTE, D-Link and AirLive.
The vulnerability allows attackers to download a file containing the router's configuration without authentication. The file can then be unpacked and parsed to extract the password for the router's administrative interface.
CERT Polska couldn't definitively link a particular vulnerability to the DNS attacks, Jaroszewski said. While the ZyNOS vulnerability looks like a strong candidate, some of the attacks date back to late December, before the vulnerability was publicly disclosed, he said.
"There are many ways to modify DNS entries in home routers, some of them known for years," Jaroszewski said. "It is actually surprising that it's the first time we see it exploited for profit on a mass scale."
Many vulnerabilities that allowed remote access to the administration interface of home routers were found over the years, including in models supplied by various ISPs to their customers.
Three vulnerabilities were found last month in a router called EE BrightBox that's provided by British broadband provider EE to customers as standard equipment. One of those vulnerabilities could potentially allow attackers to change the router's DNS configuration.
Jaroszewski believes that it's likely DNS attacks like those in Poland will be used against online banking users in other countries in the future. However, for now he wasn't aware of any reports of similar attacks outside Poland.
"In order to protect a home routers from the attack, any type of remote administration access from the Internet should be disabled," the Polish CERT researchers said. "Default usernames and passwords should be changed to unique ones, not revealed publicly."
Sign up for CIO Asia eNewsletters.