Modem Hijacker: Everything You Need to Know

Modem hijacking was a popular hacking scheme created by cybercriminals in the early-1990s as telecom companies started to offer dial-up internet connections to the public, along with telephone subscriptions. The modem hijacker’s objective is to redirect the victim’s telephone line’s connection. Typically, the modem’s Media Access Control (MAC) address will be cloned, and the internet connection will be redirected to the modem hijacker. The modem hijacker can now use free internet under the victim’s account. The hijacking of a modem starts when a user interacts with an unsecured website and unknowingly clicks the trigger, which could be something like a button cloaked with labels, “Free Pass,” or other free enticing offers. This allows the malicious modem hijacking software to be downloaded in the background and directly installed on the victim’s computer. Modem hijacking isn’t as common anymore now that dial-up connections are virtually obsolete and consumers have moved on to high-speed internet. Still, this type of hacking is considered illegal and can result in imprisonment and large fines if proven guilty.

Modem Hijacker

Modem hijackers use different schemes but apply the same goal—to use someone’s internet services. Clicking on suspicious website banners or pop-up offers and downloading files from unknown websites are the common ways that victims engage to inadvertently execute the modem hijacking process. Most internet users in the 1990s weren’t aware of the tricks programmers could do because the technology was still nascent and there were few laws protecting consumers against cybercrimes. In the mid-1990s, one of the first cases of a widespread modem hijacking campaign emerged, impacting about 38,000 consumers of internet services. In 1997, the U.S. Federal Trade Commission (FTC) refunded over $2.74 million in telephone charges the victims unknowingly paid out through the scheme, which involved re-routing users’ calls to international numbers that appeared to be located in the country of Moldova, in Europe. The investigators found out that a certain “dialer” played a big role in executing the modem hijacker’s plan. A dialer is a program used by modem hijackers to establish a connection between two computers; these programs appear similar to other programs, so the user may never notice any warning signs. In this case, the victims downloaded a software program called “Viewer” for the purpose of viewing personal pictures without knowing the program was actually hijacking software that had just been installed/executed in the background.

What is a Modem Hijacker?

A modem hijacker is a hacker that uses modem hijacking methods to breach dial-up connections and control victims’ phone lines and internet connections. This type of cybercrime emerged in the 1990s as an early form of spyware implementation. Modem hijackers create software packages that do not initiate until the victim or user turns on the computer and starts dialing the local internet service number. The software installation happens when the user accidentally clicks on malicious advertisements or downloads software or files from an unsecured or unknown website. If the program is already residing within the computer’s files, the connection will always be ready for the modem hijackers whenever the computer is on and the user starts the dial-up connection. Modem hijackers are limited until the user opens the dial-up connection. Another limitation is if a user is already running antivirus software capable of detecting and quarantining/deleting the suspected program intruder. In that case, the modem hijacker’s server connection would terminate.

How does Modem Hijacking Work?

An image featuring router hijacking concept

Modem hijacking happens when the user is unaware of the dangers of clicking on ads or pop-ups on malicious websites that offer free access to paid services. Once the suspicious offer is clicked, the program is executed and starts running in the background without the user knowing that any spyware-like program has entered the system. The program will then execute a dialler to dial another number, enabling the computer to disconnect from the local number and reconnect to an international number. The computer is now vulnerable to any open server and anyone can navigate that specific computer. Users should follow the steps on how to fix modem hijacking and take precautions to prevent future attacks by avoiding suspicious ads/offers and using an antivirus program to detect malicious files. Typically, victims only find out about modem hijacking after receiving a bill with lots of new fees and charges for international calls made without the owner’s knowledge.

What are the Disadvantages of Modem Hijacking?

For consumers, the disadvantages of modem hijacking come in the form of expensive bills incurred for calls and other charges the victims did not initiate or use. As mentioned earlier, the FTC once issued over $2 billion in settlement refunds to consumers impacted by a modem hijacking campaign in the late-1990s. Still, modem hijacking attacks are much less common today, as most people have swapped out old dial-up connections for high-speed direct service line (DSL) broadband and fiber internet. Also, most antivirus programs can detect hijacking software if the computer’s operating system is updated. Otherwise, if the telephone is set to ring during a dial-up session, the user can easily disconnect the connection if another ringing is heard due to a possible reconnection by another party.

What is the Most Common Modem Hijacker Attack?

An image featuring clickbait danger on laptop concept

The most common modem hijacker attack happens when users click on pop-up boxes offering malicious clickbait ads through unsecured websites. Many unsecured websites contain pop-up banners with redirected hyperlinks that execute a download process for the modem hijacking software. Also, emails could contain an executable command that would automatically download and install malware onto the system if the user clicks. Users are advised to avoid clicking on or opening any links or files from unknown email contacts. Users should also steer clear of any unsecured websites featuring suspicious clickbait ads.

Who Typically Commits Modem Hijacking?

Modem hijacking can be committed by individual scammers/hackers, cybercrime groups and even website owners who want to drive more traffic. While many cases of modem hijacking result in incurring charges on a phone bill, the more severe cases involve invading someone’s computer and collecting all private files and information. This is one of the early types of modem hacking that needs a client and server, meaning the hacker won’t be able to access someone’s computer unless the other computer installed a client app. Once the client app is activated, there is a connection between the two computers, and the main client-server application can monitor any activities.

Why does Modem Hijacking Occur?

An image featuring hijacking router concept

Modem hijacking only occurs with modem devices connected to a telephone line. Typically, dial-up connections are vulnerable to this type of modem hijacking. Consumer awareness plays a significant role in preventing modem hijacking attacks and calling for support from telecommunications service providers. There were no such laws protecting and scrutinizing internet scam activities before, which modem hijackers see as an opportunity to exploit the kind of activity. Modem hijacking is not overly complicated and can be deployed by anyone with the right software and technical knowledge.

Pro Tip:

There are a few useful tips to prevent modem hijacking, such as setting the telephone to loud: To connect to the internet through dial-up, users would dial the number provided by the local telephone company and listen for a ring indicating the initial connection before putting the device down. Normally, there would be no reconnection unless the user accidentally hung up. If the modem is hijacked, however, the reconnection will enable the telephone to ring, and that’s the time to unplug the phone wire.
An image featuring secure vs unsecure website concept

Another way to avoid modem hijacking is to refrain from visiting unsecured websites. Ideally, users should seek out websites with “https” in the URL instead of the less-secure “http.” Unsecured websites—many of which use “http” URLs instead of the more secure “https” version—often contain pop-up materials to engage viewers or visitors for malicious offers and other free access benefits. In many cases, a user unknowingly downloads a malicious file or program and thus executes the downloading/installation of malware designed to live on the computer undetected. This can be client-based software that is connected to a main server to observe the target’s computer remotely through the internet. To avoid this, look for unfamiliar apps that are located on the desktop or download folders; older systems usually provide shortcuts on the desktop. From there, the user should uninstall any unrecognized apps immediately using the control panel or the delete option in the main application folder.

Antivirus software products can also help detect unwanted programs in the system by referencing an updated list of all malware blueprints from around the world. In a scenario when a newer malware is about to enter the system, the antivirus program would immediately quarantine the file. Users should ensure the computer’s operating system and all installed applications are up-to-date with the latest version of the software. This enables the system to receive data from the main server, including an updated firewall, to defend against cyberattacks and other online threats.

Where can Modem Hijacking be Used?

Cybercriminals use modem hijacking to take advantage of free internet access at the expense of the owner of the hijacked modem. This could happen anywhere, but as mentioned above, modem hijacking usually occurs over dial-up connections, which have become less common with the growing adoption of high-speed broadband internet. Aside from drawing free internet access, modem hijackers can also manipulate or invade the personal computer attached to the modem because a client-based program has been installed. The connection between the client software to the server of the modem hijacker would be cut off if the program was uninstalled on the target’s computer. To restore access on the same computer, the user would need to re-install the malicious software through clickbait-style advertisements, website pop-ups, unsecured links or emails.

What are the Possible Consequences of Modem Hijacking?

An image featuring handcuffs on laptop concept

There are some laws protecting consumer rights against modem hijacking. For example, the state of New York’s law regarding modem hijacking—article 29-CC (538–538-B) of the Modem Hijacking Deterrence Act—says there should be no person, company or entity that would copy a consumer’s computer credentials or data to another device authorizing the use as consumer’s expense. For enforcement, the law imposes a civil penalty of $1,000 or up to $3,000 per violation if found guilty of a pattern.

Is Modem Hijacking Illegal?

Yes, modem hijacking is illegal. In a physical aspect, modem hijacking is considered trespassing to someone’s personal space. In most countries, intervening in a person’s home or business without asking permission is an act of intrusion. There are some laws against modem hijacking on the books, but other general cybercrime-related laws may also protect internet consumers from further damage and impose penalties on the perpetrators.

Damien Mather Damien is a cybersecurity professional and online privacy advocate with a bachelor of Computer Science. He has been in the industry for 20+ years and has seen the space evolve far bigger than he ever thought. When he is not buried in his research or going through code, he is probably out Surfing or Camping and enjoying the great outdoors.