Feeds

Spotted in the wild: Home router attack serves up counterfeit pages

Drive-by pharming

Boost IT visibility and business value

A security researcher says he has observed criminals using a new form of attack that causes victims to visit spoofed banking pages by secretly making changes to their high-speed home routers.

According to Symantec researcher Zulfikar Ramzan, the attack changes a router's settings controlling the domain name system server that translates domain names like theregister.co.uk into numerical IP address.

Malicious javascript code embedded into one email message he uncovered caused the URL for a popular Mexico-based bank to map to a fraudulent website controlled by the attackers. Anyone who tried to do business on the rogue site would have their banking credentials lifted.

The attack blends two methods that have grown increasingly common over the past year. Criminals have already been caught using large numbers of rogue DNS servers that silently send people to counterfeit versions of trusted websites.

Add to that the increasing number of documented security bugs in home routers, which frequently allow attackers thousands of miles away to make administrative changes that open end-users up to identity theft and other risks.

Last February, Ramzan first theorised about the possibility of what he termed "drive-by pharming" attacks. They'd come in the form of websites or emails that could change router DNS settings through a technique known as cross-site request forgery.

The attack would require the router's administrative password to be entered, but given the high percentage of home users who never bother to change a default password, he reckoned that the exploit would nonetheless be effective.

As it turns out, the attacks Ramzan has since witnessed were even more effective than he expected, at least when used against certain brands of routers, which were penetrated even without a password being entered (Ramzan didn't identify the specific router or vulnerability that made this possible. It sounds vaguely similar to an authentication bypass bug recently documented in routers made by Thomson/Alcatel, but that's just a guess on our part).

While the email is believed to be the first time the attack has been spotted in the wild, Ramzan says he's not particularly surprised.

"Given the simplicity of the attack and the potential widespread implications, we always felt that it would simply be a matter of time before it happened," he writes. "The building blocks have been out there for some time and anyone with sufficient familiarity could easily put them together." ®

Boost IT visibility and business value

More from The Register

next story
Pay to play: The hidden cost of software defined everything
Enter credit card details if you want that system you bought to actually be useful
HP busts out new ProLiant Gen9 servers
Think those are cool? Wait till you get a load of our racks
Shoot-em-up: Sony Online Entertainment hit by 'large scale DDoS attack'
Games disrupted as firm struggles to control network
Community chest: Storage firms need to pay open-source debts
Samba implementation? Time to get some devs on the job
Like condoms, data now comes in big and HUGE sizes
Linux Foundation lights a fire under storage devs with new conference
Silicon Valley jolted by magnitude 6.1 quake – its biggest in 25 years
Did the earth move for you at VMworld – oh, OK. It just did. A lot
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.