Broadband users have been urged to change the default passwords on their routers or risk making their bank details available to cybercriminals.

Computer scientists have identified a technique that could allow hackers to steal bank details by hijacking a home broadband connection.

The technique, in which thieves guide home computers to fake a bank website, is being called “drive-by pharming” because all that is needed is a fleeting visit to a rogue site.

The criminals set up a website containing a single line of malicious code that operates whenever the page is viewed. Unlike “phishing” attacks, the victim does not have to click on any link or download any files.

Once the code starts to run, it hijacks the router — the connection that steers users to sites they type into the browser’s address field — if the router’s password is still set to default.

When victims try to access bank websites, they are unwittingly redirected to fake sites operated by the fraudsters. As they try to access their account, they unknowingly give up their passwords and personal details.

It is thought that up to 50 per cent of people with broadband have not changed the default passwords on their routers.

Drive-by pharming is not yet thought to have been used to steal money, but experts who hack into systems to improve online security staged a successful mock attack last week.

Zulfikar Ramzan, of Symantec, a computer security company based in Cupertino, California, told the American Association for the Advancement of Science conference that he was alarmed by how easy it had been to accomplish.

“All you have to do to be affected is to look at a web page,” he said. “Attackers gain complete control over the conduit by which you surf the web, allowing them to direct you to sites they designed.

“I believe this attack has serious implications. The new threats are worrying because they are silent and invisible, making it more difficult to convey to the public. All people have to do to protect themselves is change their home router password.”

Markus Jakobsson, from the University of Indiana, who also worked on identifying the vulnerability, said: “I would advise people never to buy routers on ebay, or thumb drives or iPods, or anything you attach to your computer. You should buy it in a shrink-wrapped box from a place you consider to be safe.”

The technique exploits the way in which computers access the internet. Each website has a unique identifier known as its internet protocol or IP address. To find this address, the computer looks it up in a remote Domain Name System (DNS) server, before accessing the site.

Drive-by pharming changes the default DNS settings on a computer’s broadband router so that it looks up bank IP ad-dresses from a false server. The computer is directed towards a copy of the bank website, where users enter their details without knowing that they are giving them up to criminals.

Dr Ramzen asked his audience to imagine having to look up their bank’s address in a phone directory before making a visit. “Our attack shows a simple way that attackers can replace the phone books in your house with one that they created. Now, when you pick up that rogue phone book it’ll give you the wrong address. At this wrong address, the attackers will have set up a fake bank that looks just like your bank. You’ll give up all your sensitive bank account information. You will never realise that you were at a fake bank since you trusted the address that you got from what you thought was your legitimate telephone book.”

He said that he was not aware of any criminals using drive-by pharming, but that he wanted to alert people to the danger.

How to beat cyber-fraudsters

-Antivirus software needs to be as up to date as possible. There were about ten new threats every hour last month, so checking for updates once a day isn’t enough. Your antivirus software should enable you to check for updates hourly

-Get the latest Microsoft security patches, released on the second Tuesday of every month. You can set up your PC to do this automatically through its security centre, via the control panel. Or go to www.windowsupdate.com

-You need a firewall — either built into your broadband router hardware or on your PC — and preferably both. Check out independent reviews on technology sites for the best products

-Change the password on your router. It will be shipped with a default password, such as “admin” or “password”. Hackers can use that to change its settings. So when you go to your online bank, for example, you are redirected, unwittingly, to a cybercriminals' site. You should be able to access your router through your web browser. It will have a web address that should be in the instruction manual

-Drive-by phishers also exploit Javascript, a computer language used in online features such as forms that can let in a host of other types of malicious software. A browser such as Firefox (available for free at www.mozilla.com/firefox) gives you the option of choosing whether or not to allow Java to run on a site-by-site basis

-Use common sense: check your bank account regularly; don’t use the same password for every site (40 per cent of people do); be extremely cautious of unsolicited e-mails; back up important data; don’t open files that you don’t trust

-Browsers such as Firefox, Opera and Apple’s Safari are hit less often by hackers

Times recommends

• From joystick to helmet: it's all in the mind
• 'Maniacal' engineer takes city computers hostage
• 3G iPhone review: fast but power-hungry