Ongoing DNS hijackings target Gmail, PayPal, Netflix, banks and more [Updated]

Enlarge (credit: D-Link)
Stefan Tanase, principal security researcher at Ixia, told Ars that the DNS servers described in this article were taken down and that the attackers have replaced them with new DNS servers. Ixia analyzed the rogue DNS server and found it targets the following domains: GMail.com, PayPal.com, Netflix.com, Uber.com, caix.gov.br, itau.com.br, bb.com.br, bancobrasil.com.br, sandander.com.br, pagseguro.uol.com.br, sandandernet.com.br, cetelem.com.br, and possibly other sites. People trying to reach one of these domains from an infected router will be connected to a server that serves phishing pages over plain HTTP.
Below is how cetelem.com.br appeared in Firefox on a machine configured to use one of the malicious DNS servers.

(credit: Stefan Tanase)

On Friday afternoon, a Google representative emailed the following statement:
Read 11 remaining paragraphs | Comments