Threat Management, Incident Response, TDR, Vulnerability Management

Drive-by pharming attacks seen in the wild

The first drive-by pharming attacks have been spotted in the wild, researchers said this week.

The attack can use malicious HTML or JavaScript code placed within an email or on a webpage to infect a PC, according to researchers at Symantec Security Response.

The malicious code changes the victimized PC's DNS server settings, referring all requests to the attacker's server, researcher Zulfikar Ramzan said on the Security Response blog on Tuesday.

Ramzan, who discussed proof-of-concept drive-by pharming on the blog about a year ago, said that Symantec had found an in-the-wild variant posing as an e-card with a malicious IMG tag. The malware modified DNS settings to redirect traffic to a different – and likely malicious – webpage.

“Given the simplicity of the attack, and the potential widespread implications, we always felt that it would simply be a matter of time before it happened,” said Ramzan. “The building blocks have been out there for some time, and anyone with sufficient familiarity could easily put them together. I've said before, and I'd like to reiterate, that the technical details of the attack are not nearly as noteworthy as the potential widespread implications.”

The scheme requires a malware author to guess the victim's administrative password – not a difficult task since many end-users employ a default or are not aware a password even exists, according to Ramzan.

Symantec advised end-users to choose complicated passwords and reset the router. End-users who believe they are victims should change their website passwords.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.