- Microsoft Windows chief decries standards grandstanding
- The 5 best, and 5 worst, features of Google Chrome OS
- Federal government using PS3 to crack pedophile passwords
- 10G Ethernet cheat sheet
- Top 10 free Windows tools for IT pros, at a glance
The theory is now a reality. Symantec reported Tuesday that drive-by pharming, in which a hacker changes the DNS settings on a customer’s broadband router or wireless access point and directs the link to a fraudulent Web site, has been observed in the wild.
Listen to a podcast on how not to fall victim to drive-by pharming attacks.
The first drive-by pharming attack has been observed against a Mexican bank: “It’s associated with an e-mail pretending to be from a legitimate Spanish-language e-greeting card company, Gusanito.com,” says Symantec Security Response principal researcher Zulfikar Ramzan. Inside the e-mail is an HTML image tag but instead of displaying images, it sends a request to the home router to tamper with it.
In the e-mail evidence Symantec has examined, the code seeks to change 2Wire DSL routers to point the user’s Web browser to
a fraudulent bank site that mimics the site of one of the largest Mexican banks. Ramzan declined to name the specific bank.
“So, whenever you’d want to go to the bank site, instead of the real one, you’d get the attacker’s fake site,” he says. For
the home PC user, the danger is that this drive-by pharming attack is “so silent and there’s only subtle telltale signs that
it’s occurring,” he adds.
A white paper last year from Symantec and the Indiana University School of Informatics coined the term. At the time the researchers detailed the JavaScript-based security threat and said such an attack could hit up to 50% of home broadband users.
Drive-by pharming can occur because home router equipment is often left configured with default log-in and password information and never changed. “The attacks know what the defaults are,” Ramzan says. The simplest defense is to make sure home routers of any type have the default password settings changed.
Corporate routers are not typically seen to be as vulnerable to drive-by pharming “because they tend to be managed better,” he says.
Ramzan added he expected the drive-by pharming attack to accelerate as online attackers move beyond into newer methods than traditional e-mail phishing.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (10)
RE: First case of "drive-by pharming" identified in the wildBy Willie Howe on January 22, 2008, 6:32 pmThis is why I offer everyone I work with and people I do work for to configure their equipment for them. Most people will buy it, plug it in and go. Very bad idea.
Reply | Read entire comment
Good for you, WillieBy Anonymous on January 22, 2008, 8:25 pmYou are a good man.
Reply | Read entire comment
Actually thats not theBy Anonymous on January 23, 2008, 12:48 amActually thats not the problem and of course neither a solution... The vulnerability consists in that via a bug inside the configuration wizard and attacker can...
Reply | Read entire comment
Not the UPnP vulnerability then?By Anonymous on January 23, 2008, 2:39 amSo this attack is dependent on factory password authentication and not a result of the well publicised UPnP vulnerability which of course requires nothing other...
Reply | Read entire comment
sounds to be similarBy Anonymous on January 23, 2008, 9:36 amsounds to be similar to: http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/
Reply | Read entire comment
People must learn to changeBy Anonymous on January 23, 2008, 12:38 pmPeople must learn to change their router's password and take this security risk seriously.
Reply | Read entire comment
View all comments