http://en.wikipedia.org/wiki/DNS_cache_poisoning has definitely been exploited in the wild. A friend of mine in AWS had to investigate cache poisoning attacks happening on certain ISPs a few years back that were hijacking images.
Edit: Are any affiliate params or headers being passed to the forward page?
You probably know, but the people to contact are your ISP to tell them of their DNS poisoning, and also the "rewards" company to complain about their sneaky affiliate.
You mentioned that it's not confined to just your ISP - It's possible for these DNS attacks to cascade due to the nature of DNS, so the attack may have originated higher up than just your ISP's DNS servers. But they should be able to have a better idea of what's happening.
http://en.wikipedia.org/wiki/DNS_cache_poisoning has definitely been exploited in the wild. A friend of mine in AWS had to investigate cache poisoning attacks happening on certain ISPs a few years back that were hijacking images.
Edit: Are any affiliate params or headers being passed to the forward page?