Hijacking a broadband or wireless router that has a default password is not
exactly new... but it's on the rise.
Symantec Warns of Drive-by Pharming
By: Sharon Khare | Feb 16,2007
http://www.tech2.com/india/news/anti...harming/4284/0
--
Symantec Security Response with the Indiana University School of
Informatics, has uncovered a new security threat called "Drive-by
Pharming".
In this attack, consumers may fall victim to pharming by having their home
broadband routers reconfigured by a malicious web site. According to a
separate informal study conducted by Indiana University, up to 50 percent
of home broadband users are susceptible to this attack.
With traditional pharming, an attacker aims to redirect a user attempting
to visit one web site, to another bogus web site. Pharming can be conducted
either by changing the host file on a victim's computer or through the
manipulation of the Domain Name System (DNS). Drive-by pharming is a new
type of threat in which a user visits a malicious web site and an attacker
is then able to change the DNS settings on a user's broadband router or
wireless access point. DNS servers are computers responsible for resolving
Internet names into their real "Internet Protocol" or IP addresses,
functioning as the "signposts" of the Internet. In order for two computers
to connect to each other on the Internet, they need to know each other's IP
addresses.
Drive-by pharming is made possible when a broadband router is not password
protected or an attacker is able to guess the password — for example, most
routers come with a well-known default password that a user never changes.
"This new research exposes a problem affecting millions of broadband users
worldwide. Because of the ease by which drive-by pharming attacks can be
launched, it is vital that consumers adequately protect their broadband
routers and wireless access points today," said Oliver Friedrichs,
director, Symantec Security Response.
Professor Markus Jakobsson of the Indiana University School of Infomatics
emphasizes that this attack shows how important the human factor is in
security. "While drive-by pharming arises due to inadequate protective
measures, there is also another human component: If an attacker can trick
you into visiting his page, he can probe your machine. Deceit is not new to
humankind, but it is fairly recently that security researchers started
taking it seriously."
Drive-by pharming involves the use of JavaScript to change the settings of
a user's home broadband router. Once the user clicks on a malicious link,
malicious JavaScript code is used to change the DNS settings on the user's
router. From this point on, every time the user browses to a web site, DNS
resolution will be performed by the attacker. DNS resolution is the process
by which one determines the Internet address corresponding to a web site's
common name. This gives the attacker complete discretion over which web
sites the victim visits on the Internet. For example, the user may think
they are visiting their online banking web site but in reality they have
been redirected to the attacker's site.
These fraudulent sites are an almost exact replica of the actual site so
the user will likely not recognize the difference. Once the user is
directed to the pharmer's "bank" site, and enters their user name and
password, the attacker can steal this information. The attacker will then
be able to access the victim's account on the "real" bank site and transfer
funds, create new accounts, and write checks.
Reply With Quote