drive-by pharming

The vulnerability stems from the fact that most routers ship with default passwords and internal IP address ranges and have Web-based interfaces for configuration. In a December 2006 paper, researchers Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson released "Technical Report TR641: Drive-By Pharming." Although there had been, at that point, no reports of drive-by pharming in the wild, the researchers illustrated how easy it would be to exploit the natural browsing habits of users who had not changed default passwords for their routers.

To take advantage of that vulnerability, all the attacker has to do is write a single line of JavaScript, specifying known default router password values (which are often accessible online) and adding an HTTP query that will reconfigure router DNS server settings to specify their own DNS server. The attacker can then insert the JavaScript into the HTML code on a Web page and send users to that page through links in spam or on a valid -- but compromised -- Web site.

As with other pharming exploits, drive-by pharming takes advantage of the user's normal browsing habits by redirecting requests. Once the user has been taken to the Web page containing the JavaScript, it is quite simple for the attacker to redirect a site and then access any data the user enters there. Pharming differs from phishing in that larger numbers of computer users can be victimized -- because it is not necessary to target individuals one by one -- and no conscious action is required on the part of the victim.

To guard against drive-by pharming, users should change the passwords for their routers at installation. According to the results of a study by Indiana University, 50 percent of users currently fail to do so. To create a safer online environment overall, router manufacturers should create set-up procedures that ensure default settings are changed during installation and configuration.

Learn more about Emerging Information Security Threats

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

More resources from around the web: - The original paper is available online. - CBRonline.com explains how a 'Drive-By Pharming Attack Could Hit Home Networks.' - On SearchSecurity.com, Bill Brenner reported on the vulnerability in Cisco routers.

FILE EXTENSION AND FILE FORMAT LIST File Extension and File Format List: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #

RELATED CONTENT Modern malware, stealthy botnets, adapt quickly, expert says As network intrusion detection systems evolve so does the malware they're designed to detect, continuing the cat and mouse game between security... New ransomware Trojan pushes victims to buy software The Ramvicrype Trojan doesn't ask for money in exchange for keys, but sends victims to software that can eliminate the malware file extension,... Bruce Schneier on outsourcing, awareness training At the 2009 Information Security Decisions conference, security expert Bruce Schneier answered some of readers' burning security questions.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) DNS rebinding is an exploit in which the attacker uses JavaScript in a malicious Web page to gain control of the victim's router. The attack works... JavaScript hijacking  (SearchSecurity.com) JavaScript hijacking is a technique that an attacker can use to read sensitive data from a vulnerable Web application, particularly one using Ajax...