Pharming a Scary Harvest - New Worries: Drive-by Pharming

A new wrinkle in pharming has been reported by eWeek and other online news sources. It was discovered by researchers at Symantec and the Indiana University School of Infomatics. Dubbed "drive-by pharming," it is particularly scary because all a victim needs to do is view a web page to allow a hacker to make "substantive configuration changes to your home broadband router or wireless access point," according to Zulfikar Ramzan, writing in his blog on Symantec's web site. Merely from viewing the page, Ramzan explained, "attackers gain complete control over the conduit by which you surf the Web, allowing them to direct you to sites they designed (no matter what Web address you direct your Web browser to)."

In a drive-by pharming attack, hackers create a Web page that includes malicious JavaScript code. When someone visits that page, the code, running in the context of the browser, uses a technique known as "cross site request forgery" and logs into that person's local home broadband router. Since about fifty percent of those who own such routers have never changed that password from the factory default, the login is often successful. Once logged in, the JavaScript code changes the router's settings - including the DNS server settings.

Once this is done, the DNS resolution for the victim is controlled by the attacker. That means the hacker has complete control over which sites the victim visits. Ramzan notes that it is a combination of factors that allows this attack to succeed:

• It's very simple in terms of what a victim needs to do to get snagged. There's no opening of email or clicking on links; all you have to do is visit the web page that hosts the code. You don't even have to click on any links once you're at the site; simply viewing it is enough.
  
• It depends on people not having changed the default setting on their broadband routers - and as mentioned, many people haven't. And as you would expect, these defaults are widely available on the Internet. Sites hosting lists of routers with their default user names and passwords include http://www.routerpasswords.com/ and http://www.phenoelit.de/dpl/dpl.html
  
• It won't work if you do not have JavaScript enabled in your browser - but 95 percent of Internet users do enable JavaScript, according to a formal study released by Jupitermedia Corporation in November of 2006. Indeed, with so many popular web sites using JavaScript, it's practically a necessity these days.

While this particular attack hasn't been spotted in the wild as of yet, because of its ease it may be just a matter of time. It's important that web surfers guard against these attacks.

Next: Protecting Yourself >>
 

More Web Hosting News Articles
More By Terri Wells