Symantec Security in conjunction with the Indiana University School of Informatics has uncovered a significant new security threat. In this attack, dubbed “Drive-by Pharming,” consumers may fall victim to pharming by having their home broadband routers reconfigured by a malicious web site. According to a separate informal study conducted by Indiana University, up to 50 percent of home broadband users are susceptible to this attack.
With traditional pharming, an attacker aims to redirect a user attempting to visit one web site, to another bogus web site. Pharming can be conducted either by changing the host file on a victim’s computer or through the manipulation of the Domain Name System (DNS). Drive-by pharming is a new type of threat in which a user visits a malicious web site and an attacker is then able to change the DNS settings on a user’s broadband router or wireless access point. DNS servers are computers responsible for resolving Internet names into their real “Internet Protocol” or IP addresses, functioning as the “signposts” of the Internet. In order for two computers to connect to each other on the Internet, they need to know each other’s IP addresses. Drive-by pharming is made possible when a broadband router is not password protected or an attacker is able to guess the password — for example, most routers come with a well-known default password that a user never changes.
These fraudulent sites are an almost exact replica of the actual site so the user will likely not recognize the difference. Once the user is directed to the pharmer’s “bank” site, and enters their user name and password, the attacker can steal this information. The attacker will then be able to access the victim’s account on the “real” bank site and transfer funds, create new accounts, and write checks.