drive-by pharming

The vulnerability stems from the fact that most routers ship with default passwords and internal IP address ranges and have Web-based interfaces for configuration. In a December 2006 paper, researchers Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson released "Technical Report TR641: Drive-By Pharming." Although there had been, at that point, no reports of drive-by pharming in the wild, the researchers illustrated how easy it would be to exploit the natural browsing habits of users who had not changed default passwords for their routers.

To take advantage of that vulnerability, all the attacker has to do is write a single line of JavaScript, specifying known default router password values (which are often accessible online) and adding an HTTP query that will reconfigure router DNS server settings to specify their own DNS server. The attacker can then insert the JavaScript into the HTML code on a Web page and send users to that page through links in spam or on a valid -- but compromised -- Web site.

As with other pharming exploits, drive-by pharming takes advantage of the user's normal browsing habits by redirecting requests. Once the user has been taken to the Web page containing the JavaScript, it is quite simple for the attacker to redirect a site and then access any data the user enters there. Pharming differs from phishing in that larger numbers of computer users can be victimized -- because it is not necessary to target individuals one by one -- and no conscious action is required on the part of the victim.

To guard against drive-by pharming, users should change the passwords for their routers at installation. According to the results of a study by Indiana University, 50 percent of users currently fail to do so. To create a safer online environment overall, router manufacturers should create set-up procedures that ensure default settings are changed during installation and configuration.

Read more about drive-by pharming: - The original paper is available online. - CBRonline.com explains how a 'Drive-By Pharming Attack Could Hit Home Networks.' - On SearchSecurity.com, Bill Brenner reported on the vulnerability in Cisco routers.

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

BROWSE BY TAG Information Security Threats,   Emerging Information Security Threats,   Enterprise Data Protection,   Identity Theft and Data Security Breaches,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Antispyware buying guide for Indian enterprises This guide designed specifically for Indian businesses explores the key considerations in choosing an antispyware solution and offers an overview of... ATM malware lets attackers take over machines Trustwave investigators say sophisticated malware used in Eastern Europe allows attackers to steal track data, PINs and cash from infected ATMs. FTC shutters rogue ISP for hosting malicious content, botnets Executives at Triple Fiber Network are suspected of recruiting bot herders and hosting botnet command and control servers.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) DNS rebinding is an exploit in which the attacker uses JavaScript in a malicious Web page to gain control of the victim's router. The attack works... JavaScript hijacking  (SearchSecurity.com) JavaScript hijacking is a technique that an attacker can use to read sensitive data from a vulnerable Web application, particularly one using Ajax...