Feeds

Spotted in the wild: Home router attack serves up counterfeit pages

Drive-by pharming

Next gen security for virtualised datacentres

A security researcher says he has observed criminals using a new form of attack that causes victims to visit spoofed banking pages by secretly making changes to their high-speed home routers.

According to Symantec researcher Zulfikar Ramzan, the attack changes a router's settings controlling the domain name system server that translates domain names like theregister.co.uk into numerical IP address.

Malicious javascript code embedded into one email message he uncovered caused the URL for a popular Mexico-based bank to map to a fraudulent website controlled by the attackers. Anyone who tried to do business on the rogue site would have their banking credentials lifted.

The attack blends two methods that have grown increasingly common over the past year. Criminals have already been caught using large numbers of rogue DNS servers that silently send people to counterfeit versions of trusted websites.

Add to that the increasing number of documented security bugs in home routers, which frequently allow attackers thousands of miles away to make administrative changes that open end-users up to identity theft and other risks.

Last February, Ramzan first theorised about the possibility of what he termed "drive-by pharming" attacks. They'd come in the form of websites or emails that could change router DNS settings through a technique known as cross-site request forgery.

The attack would require the router's administrative password to be entered, but given the high percentage of home users who never bother to change a default password, he reckoned that the exploit would nonetheless be effective.

As it turns out, the attacks Ramzan has since witnessed were even more effective than he expected, at least when used against certain brands of routers, which were penetrated even without a password being entered (Ramzan didn't identify the specific router or vulnerability that made this possible. It sounds vaguely similar to an authentication bypass bug recently documented in routers made by Thomson/Alcatel, but that's just a guess on our part).

While the email is believed to be the first time the attack has been spotted in the wild, Ramzan says he's not particularly surprised.

"Given the simplicity of the attack and the potential widespread implications, we always felt that it would simply be a matter of time before it happened," he writes. "The building blocks have been out there for some time and anyone with sufficient familiarity could easily put them together." ®

Next gen security for virtualised datacentres

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.