Drive-by Pharming

Or, did you configure that router or just plug it in?

A new security problem with some of the most popular wireless routers, could cause much pain and heartache to users and their security on the internet. Researchers have discovered a new attack vector, they are calling it Drive-by Pharming, in which a malicious website could host some javascript that could change the DNS settings on wireless routers that are still using the default login password. This would allow them to re-direct any and all traffic coming through that router to a DNS server that they setup, making it possible for them to send all traffic coming through that router wherever they want. They could create fake banking sites to lure users into entering their banking info, which they could use to take money from your bank account. This is similar to phishing, but this attack would appear seamless as they are re-directed without their knowledge, whereas, when you get a phishing attempt, it is just an email trying to get you to click on a link which sends you to their fake site. This would catch everybody that they had a site set up for, banks, Paypal, stores, etc, and they would have no idea until the money started disappearing. Here is what the researches posted in December.

Inexpensive broadband routers are a popular way for people to create an internal, and sometimes wireless, network in their homes. By purchasing such a router and plugging it in, they can have a network set up in seconds. Unfortunately, by visiting a malicious web page, a person can inadvertently open up his router for attack; settings on the router can be changed, including the DNS servers used by the members of this small, quickly erected internal network. In this paper, we describe how a web site can attack home routers from the inside and mount sophisticated pharming attacks that may result in denial of service, malware infection, or identity theft among other things. Our attacks do not exploit any vulnerabilities in the user’s browser. Instead, all they require is that the browser run JavaScript and Java Applets. We also propose countermeasures to defeat this type of malware — new methods that must be used since the traditional technique of employing client-side security software to prevent malware, is not sufficient to stop our proposed attacks. Source: Technical Report TR641: Drive-By Pharming

This is available in PDF format, here. Symantec has a video on this page Drive-By Pharming: How Clicking on a Link Can Cost You Dearly, and some more info.

For background info, the DNS system, or domain name system, is what allows us to just type in in our browser to display that webpage. Each website has at least one ip address, sometimes more, sometimes shared, that we connect to, the DNS system is like a big phone book that our computer checks to find out where to go. When you type in, your computer checks several spots to see how to get to the website, the DNS servers have all of the domain names mapped to ip addresses, so when you type in it checks DNS and the DNS says go to this ip address. If a hacker changed your DNS server to one of theirs, then they can tell your computer where to go. So, when you typed in, it would tell it to check a different ip address, one that was hosting the hackers version of the website, where they could record all of your info as you type it in. Now they have your info and can do whatever you can do in your bank account because they have your userid and password. They only thing that could possibly give it away, is when it tries to log you in, you don’t actually login, they could setup some re-direct to the real bank, where you could login, but this could cause problems to, as your computer thinks is on a different ip address and would end up sending you back to the hackers site, causing even more confusion on your end. But, there are probably workarounds to that as well, such as depositing a hosts file on your computer, etc.

The easiest work around is to change the password on your wireless router, in most cases it is pretty simple and definitely worth the time to keep this from happening to you. Instead of detailing each individual router, here are some links to information on some of the different routers and how to change the default password.

D-Link When clicking this link, it will ask you where you are, US, Canada, etc, pick your country and then come back to this link and click it again and it will then take you straight to the page.



As you can see, it is pretty simple to change it, and to login to most routers, you would connect to I say most because I have seen a couple that used a different default ip address, the one that comes to mind is one of Microsoft’s. You can probably find the spot to change the password very easily, use the links above if you have trouble locating it.

I will try to post these malicious sites here as we, the security researchers and other security sites find them, and as always, lets be careful out there.