New pharming threat to home and small office networks

Stephen Withers
Friday, 16 February 2007 03:52

Your IT - Home IT

Many - perhaps most - users of popular wired and wireless routers are in danger of being directed to fraudulent web sites impersonating Internet banking services, security experts at Symantec and Indiana University have warned.

Dubbed 'drive-by pharming', the attack relies on JavaScript being enabled in the victim's browser, and the router's administrative password being left at the default.

What happens is that the victim visits an apparently innocuous web page, but it contains a JavaScript that logs into the router. Since the script is running within the browser, the request is seen by the router as coming from the LAN, not the Internet.

Once logged in, the script changes the router's configuration so it uses a DNS server controlled by the attacker. DNS servers are the part of the Internet that translate domain names such as www.my-bank.com (to use Symantec's example) to IP addresses such as 69.8.217.90. The attacker's DNS server is configured to translate bank domain names to the IP addresses of servers also controlled by the attacker, which host copies of the real banks' sites.

All this happens without requiring any interaction from the user, other than visiting the web page. The process occurs in the background with no indication of what's happening.

Then when the victim tries to connect to his or her bank's site, what comes up is actually a fake. About the only way of telling would be to check the site's certificate. The fake site captures the username and password, which are then used to extract money from the real account.

Symantec recommends users change the password on their routers (instructions can be found in the instruction manual or at the manufacturer's web site), and think twice before clicking on links.