Recherche dans le site/ Search this Blog:

Login



First case of "drive-by pharming" identified by Symantec Imprimer

Symantec has detected what is believed to be the first recorded case of what they call "drive-by pharming". The attacker changes the DNS settings on your router in order to direct you to another site (a site that he controls). He can then steal your information when you access your bank site.


In short, the attack includes the following steps :

  • The attacker sends you an email with an image link in it.
  • The link tries to connect to the default IP address of a 2Wire DSL router and attemps to change the DNS settings of the router using the default password.
  • Given that your computer gets its IP address and DNS settings from the DHCP server embedded in the router. Your computer is now querying the hacker DNS server when you computer asks to translate an host name (i.e. www.yourbank.com) to a numeric IP address (i.e. 172.20.201.33).
  • Next time you point your browser to your bank web site (i.e. http://www.yourbank.com) you will be directed to the hacker site that mimicks your bank site.
  • What is new here is that you do not need to click in any link inside the email, simply looking at it with an email client that displays images will get your router hijacked.
  • Solution: Change the default IP address, the defaut network (i.e 192.168.56.0/24) of your router and the default password used to log into it. Strickly speaking, changing the router default password should be sufficient but changing the defaut internal IP address of your router and the default network you are on might be a good idea to help in preventing future attacks on the router.
  • Prevention and detection: Make sure your are using TLS/SSL when logging in to your bank site (or any other sensible site. You should see a locked padlock somewhere in your browser when you are on your bank login page and the URL displayed in your browser should begin with https (i.e. https://www.yourbank.com/login). Pay very good attention to the certificate warning that your browser may present you. If you see any, there might be something fishy going on and you may as well abort the login process (do not enter your ID/password) if there is anything unusual happening that you do not understand.
View Network World article here.

 

Ajouter votre commentaire / Add your comment

Votre nom / Your name:
Sujet / Subject:
Commentaire:
SPAM: Ne pas inclure de lien ou utiliser le stratagème suivant: "yahoo.com slash mapage.html"     Nous utilisons un filtre qui bloque les commentaires suspects avec une erreur 403. De même, du code de programmation ou sql peut provoquer des erreurs 403. Veuillez utiliser un lien vers votre code tel que: "pastebin.com slash jVNqLieD"    Merci!
Comment:
SPAM: Do not include any links in your post or use the following construct: "yahoo.com slash mypage.html"    We are using a filter that denies suspicious posts with a 403 error. Programming language or SQL code may also cause a 403 error. Please provide a link to your code instead like: "pastebin.com slash jVNqLieD"    Thank you! :
  Lettres de vérification; lettres minuscules seulement, pas d
Retaper les lettres affichées / Word verification:
Mis à jour / Last updated ( mercredi, 26 mars 2008 23:38 )
 



Consultez TOUS nos fils d'actualité ici. / View ALL our newsfeed here.