Feeds

Spotted in the wild: Home router attack serves up counterfeit pages

Drive-by pharming

Secure remote control for conventional and virtual desktops

A security researcher says he has observed criminals using a new form of attack that causes victims to visit spoofed banking pages by secretly making changes to their high-speed home routers.

According to Symantec researcher Zulfikar Ramzan, the attack changes a router's settings controlling the domain name system server that translates domain names like theregister.co.uk into numerical IP address.

Malicious javascript code embedded into one email message he uncovered caused the URL for a popular Mexico-based bank to map to a fraudulent website controlled by the attackers. Anyone who tried to do business on the rogue site would have their banking credentials lifted.

The attack blends two methods that have grown increasingly common over the past year. Criminals have already been caught using large numbers of rogue DNS servers that silently send people to counterfeit versions of trusted websites.

Add to that the increasing number of documented security bugs in home routers, which frequently allow attackers thousands of miles away to make administrative changes that open end-users up to identity theft and other risks.

Last February, Ramzan first theorised about the possibility of what he termed "drive-by pharming" attacks. They'd come in the form of websites or emails that could change router DNS settings through a technique known as cross-site request forgery.

The attack would require the router's administrative password to be entered, but given the high percentage of home users who never bother to change a default password, he reckoned that the exploit would nonetheless be effective.

As it turns out, the attacks Ramzan has since witnessed were even more effective than he expected, at least when used against certain brands of routers, which were penetrated even without a password being entered (Ramzan didn't identify the specific router or vulnerability that made this possible. It sounds vaguely similar to an authentication bypass bug recently documented in routers made by Thomson/Alcatel, but that's just a guess on our part).

While the email is believed to be the first time the attack has been spotted in the wild, Ramzan says he's not particularly surprised.

"Given the simplicity of the attack and the potential widespread implications, we always felt that it would simply be a matter of time before it happened," he writes. "The building blocks have been out there for some time and anyone with sufficient familiarity could easily put them together." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Linux? Bah! Red Hat has its eye on the CLOUD – and it wants to own it
CEO says it will be 'undisputed leader' in enterprise cloud tech
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Hey, what's a STORAGE company doing working on Internet-of-Cars?
Boo - it's not a terabyte car, it's just predictive maintenance and that
Troll hunter Rackspace turns Rotatable's bizarro patent to stone
News of the Weird: Screen-rotating technology declared unpatentable
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.