First case of "drive-by pharming" identified by Symantec
Symantec has detected what is believed to be the first recorded case of what they call "drive-by pharming". The attacker changes the DNS settings on your router in order to direct you to another site (a site that he controls). He can then steal your information when you access your bank site.
In short, the attack includes the following steps :
View Network World article here.
- The attacker sends you an email with an image link in it.
- The link tries to connect to the default IP address of a 2Wire DSL router and attemps to change the DNS settings of the router using the default password.
- Given that your computer gets its IP address and DNS settings from the DHCP server embedded in the router. Your computer is now querying the hacker DNS server when you computer asks to translate an host name (i.e. www.yourbank.com) to a numeric IP address (i.e. 172.20.201.33).
- Next time you point your browser to your bank web site (i.e. http://www.yourbank.com) you will be directed to the hacker site that mimicks your bank site.
- What is new here is that you do not need to click in any link inside the email, simply looking at it with an email client that displays images will get your router hijacked.
- Solution: Change the default IP address, the defaut network (i.e 192.168.56.0/24) of your router and the default password used to log into it. Strickly speaking, changing the router default password should be sufficient but changing the defaut internal IP address of your router and the default network you are on might be a good idea to help in preventing future attacks on the router.
- Prevention and detection: Make sure your are using TLS/SSL when logging in to your bank site (or any other sensible site. You should see a locked padlock somewhere in your browser when you are on your bank login page and the URL displayed in your browser should begin with https (i.e. https://www.yourbank.com/login). Pay very good attention to the certificate warning that your browser may present you. If you see any, there might be something fishy going on and you may as well abort the login process (do not enter your ID/password) if there is anything unusual happening that you do not understand.
Mis à jour / Last updated ( mercredi, 26 mars 2008 23:38 )