Feeds

Spotted in the wild: Home router attack serves up counterfeit pages

Drive-by pharming

Choosing a cloud hosting partner with confidence

A security researcher says he has observed criminals using a new form of attack that causes victims to visit spoofed banking pages by secretly making changes to their high-speed home routers.

According to Symantec researcher Zulfikar Ramzan, the attack changes a router's settings controlling the domain name system server that translates domain names like theregister.co.uk into numerical IP address.

Malicious javascript code embedded into one email message he uncovered caused the URL for a popular Mexico-based bank to map to a fraudulent website controlled by the attackers. Anyone who tried to do business on the rogue site would have their banking credentials lifted.

The attack blends two methods that have grown increasingly common over the past year. Criminals have already been caught using large numbers of rogue DNS servers that silently send people to counterfeit versions of trusted websites.

Add to that the increasing number of documented security bugs in home routers, which frequently allow attackers thousands of miles away to make administrative changes that open end-users up to identity theft and other risks.

Last February, Ramzan first theorised about the possibility of what he termed "drive-by pharming" attacks. They'd come in the form of websites or emails that could change router DNS settings through a technique known as cross-site request forgery.

The attack would require the router's administrative password to be entered, but given the high percentage of home users who never bother to change a default password, he reckoned that the exploit would nonetheless be effective.

As it turns out, the attacks Ramzan has since witnessed were even more effective than he expected, at least when used against certain brands of routers, which were penetrated even without a password being entered (Ramzan didn't identify the specific router or vulnerability that made this possible. It sounds vaguely similar to an authentication bypass bug recently documented in routers made by Thomson/Alcatel, but that's just a guess on our part).

While the email is believed to be the first time the attack has been spotted in the wild, Ramzan says he's not particularly surprised.

"Given the simplicity of the attack and the potential widespread implications, we always felt that it would simply be a matter of time before it happened," he writes. "The building blocks have been out there for some time and anyone with sufficient familiarity could easily put them together." ®

Security for virtualized datacentres

More from The Register

next story
It's Big, it's Blue... it's simply FABLESS! IBM's chip-free future
Or why the reversal of globalisation ain't gonna 'appen
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
Bitcasa bins $10-a-month Infinite storage offer
Firm cites 'low demand' plus 'abusers'
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Pssst. Want to buy a timeshare in the clouds?
The Google dilemma — controller or spreader of knowledge?
CAGE MATCH: Microsoft, Dell open co-located bit barns in Oz
Whole new species of XaaS spawning in the antipodes
Microsoft and Dell’s cloud in a box: Instant Azure for the data centre
A less painful way to run Microsoft’s private cloud
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.