Symantec: Drive-by Pharming in the Wild
After many months that Symantec talked about the concept of a drive-by pharming, then recently saw instances of actual attackers attempting a basic version of drive-by pharming.
In one real-life variant that we observed, the attackers embedded the malicious code inside an email that claimed it had an e-card waiting for you at the Web site gusanito.com. Unfortunately the email also contained an HTML IMG tag that resulted in an HTTP GET request being made to a router (the make of which is a popular router model in Mexico). The GET request modified the router’s DNS settings so that the URL for a popular Mexico-based banking site (as well as other related domains) would be mapped to an attacker’s Web site.
Now, anyone who subsequently tried to go to this particular banking Web site (one of the largest banks in Mexico) using the same computer would be directed to the attacker’s site instead. Anyone who transacted with this rogue site would have their credentials stolen.
Now that the first instances of the attack have been observed, they expect there to be others.
http://www.symantec.com/enterprise/security_response/weblog/2008/01/driveby_pharming_in_the_wild.html