Computer Learning

[craddock]

Security Experts Warn of Drive-By Pharming Attacks

Jennifer LeClaire, newsfactor.com 1 hour, 44 minutes ago

Symantec's Security Response division and the Indiana University School of Informatics are warning of a new hacker tactic called drive-by pharming. In this sinister plot twist on other drive-by hack techniques, attackers use a malicious Web site to remotely reconfigure home broadband routers.

With traditional pharming, an attacker redirects a user from a legitimate Web site to a bogus Web site that contains malicious code. Pharming attacks can be executed by either changing the host file on a victim's PC or manipulating a domain name system (DNS) server.

Drive-by pharming takes this strategy one step further, and, according to Indiana University, up to 50 percent of home broadband users are susceptible to such attacks.

In the new scheme, when a user visits a malicious Web site, an attacker is able to remotely change the DNS settings on the broadband router or wireless access point and reroute requests for legitimate sites -- like online banking sites or financial institutions -- to bogus sites designed to steal login information.

"This new research exposes a problem affecting millions of broadband users worldwide," Oliver Friedrichs, director of Symantec Security Response, said in a statement. "Because of the ease by which drive-by pharming attacks can be launched, it is vital that consumers adequately protect their broadband routers and wireless access points today."

Router Control

According to the study, attackers can only leverage drive-by pharming when a broadband router is not password-protected or an attacker is able to guess the password. Most routers come with well-known default passwords that users don't bother to change.

Professor Markus Jakobsson of the Indiana University School of Informatics said this new strategy shows how important the human factor is in security. "If an attacker can trick you into visiting his page, he can probe your machine," he explained. "Deceit is not new to humankind, but it is fairly recently that security researchers started taking it seriously."

Here's how the drive-by pharming attack works: Once the user clicks on a malicious link, JavaScript code is used to change the DNS settings on the user's router. From that point on, every time the user browses to a Web site, DNS resolution will be performed by the attacker's server.

This gives the attacker complete discretion over which Web sites the victim visits on the Internet. For example, the users might think they are visiting their online banking Web site but in reality they have been redirected to the attacker's site. These fraudulent sites are almost exact replicas of the actual site, so the user will likely not recognize the difference.

Once the user is directed to the pharmer's "bank" site, and enters a username and password, the attacker can steal this information. The attacker will then be able to access the victim's account on the real bank site and transfer funds, create new accounts, write checks, and so forth.

Hitting the Brakes

What's important to remember is that this drive-by pharming scheme is an attack, not a vulnerability, said Michael Sutton, a security evangelist with SPI Dynamics. It relies on social engineering and lack of proper security controls, he explained, but does not take advantage of a security vulnerability.

"JavaScript is a powerful client-side scripting language and if a user can be social engineered into visiting a Web page, JavaScript can be leveraged to conduct a number of attacks," Sutton warned. "This is just of them." He said that other researchers have demonstrated several other kinds of attacks with JavaScript, with the results being scanning internal networks or accessing a user's browsing history.

Because, as Sutton noted, the issue is not a vulnerability, existing security solutions on the market today cannot protect against this type of attack. Drive-by pharming targets the user's router directly, and the existing solutions only protect the user's computer system.

Symantec said its Consumer Business Unit is working on technologies to help address the problem. The company's goal is to automatically impede the attack by using several techniques running on the PC. Until then, Symantec is suggesting that computer users make sure their routers have unique passwords.

Symantec also recommends installing Internet security software and warns against clicking on links that seem suspicious, such as those sent in an e-mail from unfamiliar addresses.

http://www.newsfactor.com/story.xhtml?story_id=0330014YJ9YU