Feeds

Spotted in the wild: Home router attack serves up counterfeit pages

Drive-by pharming

Providing a secure and efficient Helpdesk

A security researcher says he has observed criminals using a new form of attack that causes victims to visit spoofed banking pages by secretly making changes to their high-speed home routers.

According to Symantec researcher Zulfikar Ramzan, the attack changes a router's settings controlling the domain name system server that translates domain names like theregister.co.uk into numerical IP address.

Malicious javascript code embedded into one email message he uncovered caused the URL for a popular Mexico-based bank to map to a fraudulent website controlled by the attackers. Anyone who tried to do business on the rogue site would have their banking credentials lifted.

The attack blends two methods that have grown increasingly common over the past year. Criminals have already been caught using large numbers of rogue DNS servers that silently send people to counterfeit versions of trusted websites.

Add to that the increasing number of documented security bugs in home routers, which frequently allow attackers thousands of miles away to make administrative changes that open end-users up to identity theft and other risks.

Last February, Ramzan first theorised about the possibility of what he termed "drive-by pharming" attacks. They'd come in the form of websites or emails that could change router DNS settings through a technique known as cross-site request forgery.

The attack would require the router's administrative password to be entered, but given the high percentage of home users who never bother to change a default password, he reckoned that the exploit would nonetheless be effective.

As it turns out, the attacks Ramzan has since witnessed were even more effective than he expected, at least when used against certain brands of routers, which were penetrated even without a password being entered (Ramzan didn't identify the specific router or vulnerability that made this possible. It sounds vaguely similar to an authentication bypass bug recently documented in routers made by Thomson/Alcatel, but that's just a guess on our part).

While the email is believed to be the first time the attack has been spotted in the wild, Ramzan says he's not particularly surprised.

"Given the simplicity of the attack and the potential widespread implications, we always felt that it would simply be a matter of time before it happened," he writes. "The building blocks have been out there for some time and anyone with sufficient familiarity could easily put them together." ®

Providing a secure and efficient Helpdesk

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.