Hackers managed to infiltrate the private networks of millions of Brazilians and redirected them to malicious websites without ever accessing the users' computers, even remotely.
Thousands of dollars were stolen from legitimate users, some of which were used to purchase the services of Rio de Janeiro prostitutes.
Their hackers' secret? Instead of targeting the computers, the hackers went after the routers, network components that many end users overlook even when they're savvy about security.
The online outlaws bypassed password requirements on DSL routers that had a flaw in their Broadcom chips, which let hackers create a cross-site request forgery and snag the routers' administrative passwords.
Once inside, they were able to manipulate the devices' settings and redirect them to one of 40 unfriendly Domain Name System (DNS) servers, Sophos Labs' Naked Security blog reported.
DNS servers are the telephone books of the Internet. Computers and routers consult them constantly to translate human-friendly uniform resource locators (URLs), such as "www.securitynewsdaily.com," to the Internet Protocol (IP) addresses that computers actually use to transmit data, such as "22.214.171.124".
A malicious DNS server would return a different IP address, so that a computer would think it was communicating with the SecurityNewsDaily site when it was really downloading malware from a server in Russia.
One of the scariest parts of this scam was how hard it could be to distinguish between a scammer's attack and the real deal. Attackers spoofed the authentic sites' URLs, leaving trustworthy-looking names in the browser's address bar.
So when users visited www.google.com.br — the real Brazilian Google Search home page — many didn't think twice before clicking "OK" on a prompt to download and install a program required for the "new Google."
Of course, there was no new Google, and instead of providing "Defense," as the filename implied, the malware logged keystrokes, sent files to remote servers and phished bank-account information from seemingly legitimate websites to be exploited for financial gain.
Once inside, the hackers locked out the routers' owners with new passwords, barring them access to the admin controls needed to redirect their routers properly.
"If only they had known the exploit too," Naked Security mused.
Security experts eventually found that affected machines were all hooked up to routers made by one of six makers. All told, the hackers redirected more than 4.5 million routers in about 6.7 percent of Brazil's households.
Kaspersky Labs' Brazilian researcher Fabio Assolini demonstrated the hack last week in Dallas at the Virus Bulletin conference.
Assolini also presented part of an Internet relay chat between two of the hackers discussing plans for their ill-gotten gains, some of which purportedly was spent securing the services of Rio de Janeiro prostitutes.
Follow Ben on Twitter.