First case of 'drive-by pharming' identified in the wild
LATEST NEWS
- Second MYOB founder boosts Xero holding
- Vodafone NZ loses customers || 6
- Video will drive UFB uptake, but NZ lacks content choices: ComCom || 3
- TelstraClear's half-year revenue drops by 4 percent, but telco posts $1m profit
- Peter Finch leaves CIO post at Gen-i || 1
- 2degrees announces 875,656 customers || 1
SUBSCRIBE
Computerworld is New Zealand's only specialised information systems fortnightly. Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
SIGN UP
The first drive-by pharming attack has been observed against a Mexican bank, reports Symantec
By Ellen Messmer | Framingham | Thursday, 24 January, 2008
The theory is now a reality. Symantec reports that drive-by pharming, in which a hacker changes the DNS settings on a customer’s broadband router or wireless access point and directs the link to a fraudulent website, has been observed in the wild.
The first drive-by pharming attack has been observed against a Mexican bank: “It’s associated with an email pretending to be from a legitimate Spanish-language e-greeting card company, Gusanito.com,” says Symantec Security Response principal researcher Zulfikar Ramzan. Inside the email is an HTML image tag but instead of displaying images, it sends a request to the home router to tamper with it.
In the email evidence Symantec has examined, the code seeks to change 2Wire DSL routers to point the user’s web browser to a fraudulent bank site that mimics the site of one of the largest Mexican banks. Ramzan declined to name the specific bank.
“So, whenever you’d want to go to the bank site, instead of the real one, you’d get the attacker’s fake site,” he says. For the home PC user, the danger is that this drive-by pharming attack is “so silent and there’s only subtle telltale signs that it’s occurring,” he adds.
A white paper last year from Symantec and the Indiana University School of Informatics coined the term. At the time the researchers detailed the JavaScript-based security threat and said such an attack could hit up to 50% of home broadband users.
Drive-by pharming can occur because home router equipment is often left configured with default log-in and password information and never changed. “The attacks know what the defaults are,” Ramzan says. The simplest defence is to make sure home routers of any type have the default password settings changed.
Corporate routers are not typically seen to be as vulnerable to drive-by pharming “because they tend to be managed better,” he says.
Ramzan added he expected the drive-by pharming attack to accelerate as online attackers move beyond into newer methods than traditional email phishing.
MOST POPULAR
Social Media @Computerworld NZ
Computerworld NZ has now reached LinkedIn! Join to expand your networks and meet others interested in information systems.
