In a drive-by pharming attack, victims only have to view a web page or open an e-mail. Embedded malicious code could change the DNS (Domain Name System) settings on a victim's router. From that point on, Symantec reports, all future URL requests would be resolved by the attacker's DNS server , which means the attacker effectively controls the victim's Internet connection.

"At the time we described the attack concept, it was theoretical in the sense that we had not seen an example of it in the wild. That's no longer the case," said Symantec security expert Zulfikar Ramzan.

Drive-By Pharming in Action

In one real-life variant that Symantec researchers observed, the attackers embedded the malicious code inside an e-mail that said it had an e-card waiting at the Web site gusanito.com.

However, the e-mail also contained an HTML IMG tag that resulted in an HTTP GET request being made to the victim's router. The GET request modified the router's DNS settings so that the URL for a popular Mexico-based banking site, as well as other related domains, were mapped to the attacker's Web site.

"Now, anyone who subsequently tried to go to this particular banking Web site -- one of the largest banks in Mexico -- using the same computer would be directed to the attacker's site instead," Ramzan said. "Anyone who transacted with this rogue site would have their credentials stolen."

The Router Factor

Symantec said the first real-life instance of drive-by pharming was even more devastating than the researchers' original concept because the particular brand of router involved has a substantial vulnerability that makes the attack far more potent.

"In its original incarnation, the drive-by pharming attack required the attacker to correctly guess the administrative password on the victim's router. Since most people never change this password or, for that matter, even know of its existence, this measure poses little or no impediment for the attacker," Ramzan said.

"So simply changing the default password to one that is difficult to guess would have sufficed in protecting you. In the case of these routers that's not true," he added. "It turns out that on this particular router the attacker does not even need to try guessing the password!"

Guarding Against Drive-bys

Now that the first instance of the attack has been observed, Symantec expects more.

Ramzan offered some best practices for protecting systems. First, he said, change the default router password to something that's difficult to guess. Second, reset the router before changing your password so you can start with a clean slate in case you have already become a victim of drive-by pharming.

Third, practice what Ramzan calls good Internet "street smarts." Stick to Web sites that are trustworthy and use caution when clicking on links people send you -- even if they come from someone you trust. The same holds true for e-mails.

Finally, Ramzan recommends a comprehensive Internet security software suite that provides virus and spyware blocking, a firewall, intrusion detection and prevention, and anti-phishing capabilities.

"Drive-by pharming attacks might be used as a lure to have malicious software installed on your machine or compromise the integrity of your online transactions," Ramzan said. "There are some excellent technologies out there for protecting you in such situations, and I strongly advocate using them."