Research: ‘Drive-by pharming’ attacks need only router access to steal personal information

As many as half of all broadband users - including some small- and medium-size enterprises - are susceptible to a new pharming attack that can succeed without the hacker ever penetrating the computer, Symantec announced today.

Router access is enough for attackers to steal personal information from unsuspecting users, Zulfikar Ramzan, senior principal researcher at Symantec Security Response, told today. But there is a simple fix – change the password.

The attack – described in a new report from Symantec and Indiana University – begins by employing social engineering tactics to dupe users into visiting a malicious webpage containing a "simple piece" of JavaScript code, Ramzan said. The code, regardless if users’ machines are fully patched, will attempt to simulate a log-in screen so the attacker, assuming the user is running a default password, can access the broadband router.

Many routers are protected with default credentials, making it easy for the attacker to correctly enter the information and gain access to the router, Ramzan said. With control over the router, the attacker can then configure the server’s domain name service (DNS) settings to lead an unknowing user to a malicious website, such as one that mimics his or her real banking site.

"The main thing is that once an attacker controls a router, they control the conduit by which the user accesses the internet," Ramzan said. "They can take you anywhere on the internet without you knowing it."

The technique, dubbed "drive-by pharming," has been made public in a new paper written by Ramzan, Indiana University Associate Professor of Informatics Markus Jakobsson and his graduate student, Sid Stamm.

So far, the authors have seen no exploits in the wild. But today, Symantec issued a news release urging users to protect their broadband networks by customizing their passwords. No new security solutions are needed, Ramzan said.

"We feel a lot of people are vulnerable to this attack," he said. "Most people don’t know they should change those (router) passwords. Most people don’t know how to change those passwords."

Experts estimate that as many as half of broadband users run a default password, Jakobsson told today.

"People can deal with it very easily," Ramzan said. "You don’t have to wait for a vendor to issue a patch. You can go in and change your password, and in two minutes, you’ll be protected."

Many small- and medium-size enterprises use broadband routers to connect to the internet and they, too, should be cognizant of the new threat, he said.

"When that router gets configured (by the hacker), every machine on the network will be using a wrong DNS server," he said. "Every machine on that network will now be susceptible to the bad things that can happen when your router is controlled by an attacker."

Organizations should be aware that remote workers using a router to access the internet at home may infect the company network if they are attacked.

Ramzan called on router manufacturers, such as LinkSys, a division of Cisco, to prompt password changes during the initial set-up of the product.

"This is pretty bad because it strikes at unsecured software and hardware," Jakobsson said.

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.