The first drive-by pharming attack has been observed against a Mexican bank: “It’s associated with an e-mail pretending to be from a legitimate Spanish-language e-greeting card company, Gusanito.com,” says Symantec Security Response principal researcher Zulfikar Ramzan. Inside the e-mail is an HTML image tag but instead of displaying images, it sends a request to the home router to tamper with it.

Will someone finally take CSRF vulnerabilities seriously now? "Utter horror show" is an accurate description of the security status of most router's web interfaces. The Linksys box sitting next to me has an CSRF vuln that allows you to reset the WEP key. Unacceptable.