by Playfuls Staff |
17th February 2007
Symantec announced that Symantec Security Response in
conjunction with the Indiana University School of Informatics has uncovered a
significant new security threat. In this attack, dubbed "Drive-by [more] Pharming,"
consumers may fall victim to pharming by having their home broadband routers
reconfigured by a malicious web site. According to a separate informal study
conducted by
Indiana
University, up to 50
percent of home broadband users are susceptible to this attack.
With traditional pharming, an attacker aims to redirect a
user attempting to visit one web site, to another bogus web site. Pharming can
be conducted either by changing the host file on a victim's computer or through
the manipulation of the Domain Name System (DNS). Drive-by pharming is a new
type of threat in which a user visits a malicious web site and an attacker is
then able to change the DNS settings on a user's broadband router or wireless
access point. DNS servers are computers responsible for resolving Internet
names into their real "Internet Protocol" or IP addresses,
functioning as the "signposts" of the Internet. In order for two
computers to connect to each other on the Internet, they need to know each
other's IP addresses. Drive-by pharming is made possible when a broadband
router is not password protected or an attacker is able to guess the password
-- for example, most routers come with a well-known default password that a
user never changes.
Drive-by pharming involves the use of JavaScript to change
the settings of a user's home broadband router. Once the user clicks on a
malicious link, malicious JavaScript code is used to change the DNS settings on
the user's router. From this point on, every time the user browses to a web
site, DNS resolution will be performed by the attacker. DNS resolution is the
process by which one determines the Internet address corresponding to a web
site's common name. This gives the attacker complete discretion over which web
sites the victim visits on the Internet. For example, the user may think they
are visiting their online banking web site but in reality they have been
redirected to the attacker's site.
These fraudulent sites are an almost exact replica of the
actual site so the user will likely not recognize the difference. Once the user
is directed to the pharmer's "bank" site, and enters their user name
and password, the attacker can steal this information. The attacker will then
be able to access the victim's account on the "real" bank site and
transfer funds, create new accounts, and write checks.
Symantec Security Response recommends that users employ a
multi-layered protection strategy:
* Make sure their
routers are uniquely password protected. Most routers come with a default
administrator password which is easy for pharmers to guess
* Use an Internet
security solution that combines antivirus, firewall, intrusion detection, and
vulnerability protection
* Avoid clicking
on links that seem suspicious - for example, those sent to you in an email from
someone you don't recognize
Existing security solutions on the market today cannot
protect against this type of attack since drive-by pharming targets the user's
router directly, and the existing solutions only protect the user's computer
system. Symantec's Consumer Business Unit has been actively working on
technologies to help address this problem using client-side technology.
Symantec's goal is to develop the means to automatically impede the attack by
using a number of embedded techniques running on the client, embedded in the
network stack, and in the browser.
