Protecting networks against drive-by pharming attack

(03/11/2008)

The wireless communication revolution brought fundamental changes and allows us to access e-mail, internet, personal information and network resources anywhere, any time. Due to the ease of installation, convenience, mobility and increasing popularity of laptops, wireless networks are becoming more and more popular, even with home users. As wireless communications at home become more widespread, so does the use of internal broadband routers. People want to hook up two or more computers and/or game consoles to the internet and use routers to create an internal network at home.

What few people know is that wireless routers can be tampered with to misdirect legitimate browser links to bogus websites, which may result in malware infections and identity theft. This technique, known as drive-by pharming allows hackers to gain control over the router of a victim by altering the router’s Domain Name System (DNS) settings. The DNS maps the domain names of websites to their IP addresses.

With drive-by pharming, users are redirected to a webpage or receive an e-mail containing malicious JavaScript. The code makes a login attempt into the user's home broadband router, and then attempts to change its DNS server settings to point to an attacker-controlled DNS server. This kind of attack does not require the user to download any malicious software, simply viewing a web page or e-mail containing the JavaScript Code is enough.

The most notorious drive-by pharming attack occurred in January 2008. Hackers were able to login to a certain type of router distributed by a big Latin American Internet Service Provider. Victims received an e-mail saying there was an e-card waiting for them from the legitimate website www.gusanito.com. The e-mail contained embedded malicious code modifying the router’s DNS settings so that the URL for the banking site of one of the largest banks in Mexico would be mapped to an attacker’s web site. Anyone who subsequently conducted online banking transactions with this bogus web site using the same computer was directed to the attacker’s site instead and had their credentials stolen.

Drive-by pharming can occur because consumer grade router equipment often works with default settings and administrative passwords are seldom changed. Attackers guess the default passwords and are therefore able to gain access to routers. But changing default passwords is no guarantee to prevent these attacks. Many altered passwords can be quickly guessed through dictionary attacks because most routers do not use time penalties for incorrect log-in attempts. Moreover, lot of people make use of public hotspots in shopping malls, libraries and airports to conduct their business as a result of which control of security settings no longer lies in their own hands

How to prevent your credentials such as personal information, credit card data, usernames and password, being stolen? Local router compromise is difficult to detect and end-users are seldom able to tell the difference between the legitimate and bogus website as the URL and look-and-feel of the sites are identical.
Identity theft such as occurred with the Latin American bank, could have been prevented by securing user’s credentials through strong authentication.
Authentication enables user to verify the digital identity of the sender. In other words, it allows you to be sure that the user effectively is who he claims to be.
VASCO’s Digipass technology is a two-factor authentication solution based on something you have (your Digipass) and something you know (a PIN code). The use of two different factors delivers ahigher level of authentication assurance.

Digipass is an authentication solution offering both One-Time passwords and electronic signatures. The One-Time Password concept replaces static passwords, such as the name of your favourite pet, with dynamic strong passwords based on a time principle. These dynamic passwords can only be used once after which they expire. Since the passwords changes default every 32 seconds, fraudsters are forced to operate in real time, making batch processing of username and password-combinations impossible.

Electronic signatures guarantee security on transaction level. They prevent fraudsters from intercepting your sensitive data. Once a transaction is signed with an e-signature, the content can no longer be changed. If fraudsters alter the transaction data, the electronic signature becomes invalid.

DIGIPASS One-Time passwords and electronic signatures provide strong protection against drive-by pharming attacks.

More information about VASCO and DIGIPASS on www.vasco.com.

Related topics:  Authentication and identity management 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources