Drive-by Pharming at Security Samizdat

The Symantec Security Response blog has published a post by Zulfikar Ramzan about a new type of emerging threat: the “drive-by pharming” attack.

It’s really a combination of different things: getting the victim to browse a malicious webpage, which uses “Cross-Site Request Forgery” to logon to the broadband router using default passwords, and changing the DNS configuration to hijack the user’s sessions, redirecting subsequent browsing to malicious sites.

It seems convoluted, but apparently it works. Proof-of-Concept code has been developed by Mr. Ramzan together with researches from the University of Indiana (Sid Stamm and Markus Jakobsson)

In the author’s own words:

Now, let’s go into a slightly more technical description. The attackers create a Web page that includes malicious JavaScript code. When the Web page is viewed, this code, running in the context of your Web browser, uses a technique known as ‘Cross Site Request Forgery’ and logs into your local home broadband router. Now, most such routers require a password for logging in. However, most people never change this password from the original factory default. Upon successful login, the JavaScript code changes the router’s settings. One simple, but devastating, change is to the user’s DNS server settings.

In our attack, the attackers can actually modify the settings on your home wireless router to dictate which DNS server you use. Even worse, they can get you to use a server that they created themselves. This server could have bogus records that tell your computer to go to the wrong IP address when you type in www.my-bank.com. The attackers can set up a fake Web site that looks just like your bank. Then, they can associate this fake Web site’s IP address with the address www.my-bank.com. Now whenever you think you’re going to your bank’s Web site, you’ll actually wind up at the attackers’ site. You may never know the difference. In the meantime, the attackers have stolen your bank account information.