Check your DNS servers, because many vendors have exploited flaws that allow the routers to be changed to new DNS servers. Man In the Middle, yeah an alternate DNS server will certainly allow this type of attack.
Affected devices had their DNS settings changed to use the IP addresses 18.104.22.168 and 22.214.171.124. As with the DNS Changer malware, unwitting victims are vulnerable to a loss of service if the malicious servers are taken down, as both primary and secondary! DNS IP addresses are overwritten, complicating mitigation.