‘Drive-by Pharming’ – A New Attack on Routers

In a recent threat dubbed "Drive-by Pharming" an attacker could alter the home routers' configuration by planting JavaScript code, said security researchers at Indiana University and Symantec on the basis of an examination. The threat would act as a reminder to all those who haven't modified the default password on their home PCs.

The source of the problem is low-cost plug-and-play broadband routers, researchers said from their proof-of-concept. When these devices arrive from the factory they have a default password that most home users do not care to change. Hackers, however, know they can combine these passwords with Web sites having a malicious JavaScript code to cause dangerous outcomes.

The research team discovered that with the help of computer logged on to a Web page containing JavaScript code, it is possible to set a different Domain Name System (DNS) in the routers. When the hacker introduces the new DNS he effectively diverts all e-mail moving through that router.

According to Oliver Fredrichs, director, Symantec Security Response in a company press release, the recent research reveals an attack that is creating problems to millions of broadband users around the world. The drive-by pharming attacks are very easy to launch. Therefore, it is crucial that consumers protect their broadband routers and wireless access areas.

In one such attack, the captured router can send anyone to the hacker's own phishing site instead of the real site that the user intends. Despite the best preventive practices like using one's own bookmark or typing the URL, the victim ends up at the fraudulent URL. The hacker can also lead a computer, connected to the Net, to a malicious website that installs a bundle of malware on that PC.

A separate informal study from Indiana University shows, half of home brand users are vulnerable to this attack.

The obvious remedy is to change the default password of the router. Other precautions are to switch to Java applets having digital signatures and strictly restrict un-trusted, unsigned applets to access the network. Finally, ISPs can also help by allowing only those DNS traffic, which pass through their own name servers.

Related article: “Loopholes did not cause online banking thefts”: ICBC

» SPAMfighter News - 2/26/2007