drive-by pharming

Drive-by pharming is a vulnerability exploit in which the attacker takes advantage of an inadequately protected broadband router to gain access to user data. Symantec developed the technique, in conjunction with Indiana University, as a proof-of-concept exploit that could result in identity theft or other unwanted results, such as denial of service (DoS) or malware infection. Routers that are susceptible to a drive-by pharming attack include products from Cisco, D-Link, Linksys and Netgear. Cisco released an advisory stating that 77 percent of their routers were at risk.

The vulnerability stems from the fact that most routers ship with default passwords and internal IP address ranges and have Web-based interfaces for configuration. In a December 2006 paper, researchers Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson released "Technical Report TR641: Drive-By Pharming." Although there had been, at that point, no reports of drive-by pharming in the wild, the researchers illustrated how easy it would be to exploit the natural browsing habits of users who had not changed default passwords for their routers.

To take advantage of that vulnerability, all the attacker has to do is write a single line of JavaScript, specifying known default router password values (which are often accessible online) and adding an HTTP query that will reconfigure router DNS server settings to specify their own DNS server. The attacker can then insert the JavaScript into the HTML code on a Web page and send users to that page through links in spam or on a valid -- but compromised -- Web site.

As with other pharming exploits, drive-by pharming takes advantage of the user's normal browsing habits by redirecting requests. Once the user has been taken to the Web page containing the JavaScript, it is quite simple for the attacker to redirect a site and then access any data the user enters there. Pharming differs from phishing in that larger numbers of computer users can be victimized -- because it is not necessary to target individuals one by one -- and no conscious action is required on the part of the victim.

To guard against drive-by pharming, users should change the passwords for their routers at installation. According to the results of a study by Indiana University, 50 percent of users currently fail to do so. To create a safer online environment overall, router manufacturers should create set-up procedures that ensure default settings are changed during installation and configuration.

This was last updated in March 2007

Continue Reading About drive-by pharming

Dig Deeper on Hacker tools and techniques: Underground hacking sites