drive-by pharming

The vulnerability stems from the fact that most routers ship with default passwords and internal IP address ranges and have Web-based interfaces for configuration. In a December 2006 paper, researchers Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson released "Technical Report TR641: Drive-By Pharming." Although there had been, at that point, no reports of drive-by pharming in the wild, the researchers illustrated how easy it would be to exploit the natural browsing habits of users who had not changed default passwords for their routers.

To take advantage of that vulnerability, all the attacker has to do is write a single line of JavaScript, specifying known default router password values (which are often accessible online) and adding an HTTP query that will reconfigure router DNS server settings to specify their own DNS server. The attacker can then insert the JavaScript into the HTML code on a Web page and send users to that page through links in spam or on a valid -- but compromised -- Web site.

As with other pharming exploits, drive-by pharming takes advantage of the user's normal browsing habits by redirecting requests. Once the user has been taken to the Web page containing the JavaScript, it is quite simple for the attacker to redirect a site and then access any data the user enters there. Pharming differs from phishing in that larger numbers of computer users can be victimized -- because it is not necessary to target individuals one by one -- and no conscious action is required on the part of the victim.

To guard against drive-by pharming, users should change the passwords for their routers at installation. According to the results of a study by Indiana University, 50 percent of users currently fail to do so. To create a safer online environment overall, router manufacturers should create set-up procedures that ensure default settings are changed during installation and configuration.

Read more about drive-by pharming: - The original paper is available online. - CBRonline.com explains how a 'Drive-By Pharming Attack Could Hit Home Networks.' - On SearchSecurity.com, Bill Brenner reported on the vulnerability in Cisco routers.

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT New media Trojan on the prowl Researchers at Secure Computing have detected a Trojan infecting MP3 and Windows media (WMV) audio files as well as WMV videos. DNS rebinding defenses still necessary, thanks to Web 2.0 Security Corner's Ken Harthun explains the new types of DNS vulnerabilities and how to keep them from compromising your router and exposing sensitive... Vendors rally to repair dangerous DNS flaw Microsoft, Cisco, ISC BIND and others have issued a coordinated release of patches to correct a DNS error that could lead to DNS cache poisoning.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) DNS rebinding is an exploit in which the attacker uses JavaScript in a malicious Web page to gain control of the victim's router. The attack works... JavaScript hijacking  (SearchSecurity.com) JavaScript hijacking is a technique that an attacker can use to read sensitive data from a vulnerable Web application, particularly one using Ajax...