Symantec said the GET request modified the router’s DNS settings so that the URL for a popular Mexico-based banking site was mapped to the hacker’s Web site, where security data could be stolen.
According to Symantec, the first drive-by pharming attack has become reality. Symantec warned of the concept almost a year ago, and now has reported such an attack against a Mexican bank.
In a drive-by pharming attack, victims only have to view a web page or open an e-mail. Embedded malicious code could change the DNS (Domain Name System) settings on a victim’s router. From that point on, Symantec reports, all future URL requests would be resolved by the attacker’s DNS server , which means the attacker effectively controls the victim’s Internet connection.
“At the time we described the attack concept, it was theoretical in the sense that we had not seen an example of it in the wild. That’s no longer the case,” said Symantec security expert Zulfikar Ramzan.