Attackers can poison the DNS system (think of this as the phone book your browser uses to locate a site's IP address by its name) at several different stops. Your machine caches DNS entries and this cache can be poisoned. A special file on your machine can be modified to override DNS servers for certain Web addresses, and DNS servers themselves can even be compromised and forced to serve up bad IP addresses for reputable sites. Once the attack is in place, your browser will contact an attacker's server instead of the legitimate server for any targeted website. Attacks like this typically target banks and other financial institutions, fooling users long enough for them to give up account credentials, which are then used to empty their accounts.
Ways to avoid: Always look for "https" at the beginning of the site's address when visiting a sensitive website to do financial transactions, and (again) don't ignore browser warnings. Attackers who have poisoned your DNS lookups still can't forge the certificates used for TLS, so in many cases they'll use a non-TLS ("http://...") address and hope users don't notice.
Web browsers are the primary target for many attackers these days, because so much sensitive data passes through them. From casual shopping to enterprise management systems to military operations, browsers have become the primary vehicle people use to access network-connected systems. Unfortunately, browsers have a long and storied history of vulnerabilities that have provided attackers with a lucrative and near-endless supply of victims upon which to prey. Quarri Technologies, Inc., a Web information security software company, has identified some of the top vulnerabilities attackers use against browsers.
Note: This slideshow is focused on browser vulnerabilities, not website vulnerabilities (SQL injection attacks, XSS, XSRF, et al). The distinction is subtle but important.