Sample drive-by pharming attack

Symantec’s Zulfikar Ramzan posted a blog entry on a drive-by pharming attack they came across:

We recently saw instances of actual attackers attempting a basic version of drive-by pharming. Given the simplicity of the attack and the potential widespread implications, we always felt that it would simply be a matter of time before it happened. The building blocks have been out there for some time and anyone with sufficient familiarity could easily put them together. I’ve said before and I’d like to reiterate that the technical details of the attack are not nearly as noteworthy as the potential widespread implications.

In one real-life variant that we observed, the attackers embedded the malicious code inside an email that claimed it had an e-card waiting for you at the Web site gusanito.com. Unfortunately the email also contained an HTML IMG tag that resulted in an HTTP GET request being made to a router (the make of which is a popular router model in Mexico). The GET request modified the router’s DNS settings so that the URL for a popular Mexico-based banking site (as well as other related domains) would be mapped to an attacker’s Web site.

Now, anyone who subsequently tried to go to this particular banking Web site (one of the largest banks in Mexico) using the same computer would be directed to the attacker’s site instead. Anyone who transacted with this rogue site would have their credentials stolen.