Slashdot Mirror
Drive-By Pharming In the Wild
An anonymous reader writes "Symantec reported Tuesday that the first case of drive-by pharming, in which a hacker changes the DNS settings on a customer's broadband router or wireless access point and directs the link to a fraudulent Web site, has been observed in the wild. The first drive-by pharming attack has been observed against a Mexican bank: 'It's associated with an e-mail pretending to be from a legitimate Spanish-language e-greeting card company, Gusanito.com,' says Symantec Security Response principal researcher Zulfikar Ramzan. Inside the e-mail is an HTML image tag but instead of displaying images, it sends a request to the home router to tamper with it."
It sounds like a simple captcha image on the router's login page would thwart this.
2Wire DSL routers to point the user's Web browser to a fraudulent bank site that mimics the site of one of the largest Mexican banks.
There is not much space to guess here, it is either Banamex or Bancomer...
Ubuntu is an African word meaning 'I can't configure Debian'
Several reasons. First, it's easier to change what gets stamped into a cd than what gets set into the silicon. Second, the cd key isn't actually unique to the CD, it just conforms to an algorithm that determines whether or not the cd key fits the criteria for the software and then, when on the network, checks to make sure that the cd key was actually sold and that it's unique.
Langfeldt's DNS how-to
If you have a home network, there are several ways to secure it. Every router that I have ever owned have several characteristics. Look for the 'reset' key, make sure it is there and not like Asante where you have to short terminals 3 and 8 on the serial port...showin my age there folks. Make sure it is a real router and not a windows appendage. Do NOT use a PCI modem that you cannot disconnect fast. Use an external modem on a SERIAL port. Do not use a combination cable modem/router. This is foisted on many users, and as a default feature sets up remote administration from the outside. That remote admin 'feature' is 'supposed to allow customer engineers to help......' you out of all your money. Don't surf as administrator if microsoftintheheady or as root if a linux penguin. Thats just askin to get hosed. Yeah, I'm a ramblin old fart, but all these things I have picked up from experience. Definitely change the default password, 'admin' or whatever on the router to something realllly strange and long. Write that password down and put it in your wallet, your wife's ring box, or whatever. Do not even try to memorize it as you will forget it when you need it. Don't use 'DHCP' that routers and network vendors want you to do. This means that all home networks are on 192.168.1.0 or some predictable net address that all hackers try first. Use a REAL network with a real address like 192.168.205.89 or something. This forces hackers to really fail many many times in guessing your network setup. With a real network, hand out your own addresses and make them random in the third and fourth hex digits so that hackers will have to guess out each and every terminal on your net. Now add MAC security to your router so that the hacker not only has to correctly guess from a crore of non standard addresses to address it, but only those with the right computer NIC can even be qualified to guess the password! Having a switch available to shut down suspects in a hurry helps too. I could go on, but if you have followed all this rambling, print it out and do it.
There are 3 major combinations of default username/password comnbinations that cover the vast majority of home routers. They are U:admin P:admin, U:admin P:password and U:admin P: (that's right.. NO password.) This is true of Linksys, Dlink, Netgear, etc. With a bit of searching, you can even find this out from their very own websites.
http://www.xkcd.com/354/
I live in Mexico, and yes, the bank name is Banamex (owned by Citibank) and this is how the hack works:
The most prominent ISP in Mexico (Telmex) uses 2wire gateway modems, most of them wireless enabled. Security is turned on by default using serial numbers so no one from outside can login "easily".
However, there is no default security from the inside, so the gusanito.com postcard contains a malicious flash program that sends a special URL to the modem that adds a DNS entry to its local name resolution table pointing www.banamex.com to a pharming site.
Next time you open IE or any other browser and open www.banamex.com you'll get redirected to the other site.
This easily solved putting a user password on the modem configuration, but not all people care to do that.
Nope. I do embedded software, and write the test suite all those devices go through before being shipped to the customer. It's pretty standard to set custom stuff at that time, including the MAC ID for the unit. It would be just as easy to change the password at that time.
Your comment about the CD key, however, is right on.
It should be illegal to say that freedom of speech should be limited.
Hmm, personally I prefer my routers not to have too many potential vulnerabilities, yours sounds like a nightmare from that perspective. What you are telling me is that a box on the edge of your network, a box that presumably is very open to abuse also happens to hold a huge volume of data, not too bright, even if it is just TV shows. Personally I'd grab a modest piece of hardware suited to the role and ensure it was locked down as tightly as possible.
Just out of interest, what OS is this monster router running?
As I understand it, even with this so-called pharming technique, the bad guys still cannot correctly spoof an "https:" page... at least not without compromising the private key used to secure the SSL connection, or compromising the private key of the certificate signing authority.
When I explain to people how to use the Web, I always tell them to look for the security indicators before doing anything involving money.
P.S. I wouldn't be surprised if the bad guys here added Javascript code to their fake bank site, to rewrite the address bar of the web browser to show the "https:". This is why I prefer to do all my online banking with Javascript disabled; thank you, NoScript.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
Not necessarily..
It is also possible to change settings on a router using UPnP using a malicious flash script...
See http://www.gnucitizen.org/blog/flash-upnp-attack-faq for details.
Most home routers have UPnP turned on, so you're not safe just because you have a good password.
I would assume that most 3com gear does not have UPnP, so it is quite likely that you specifically are safe.
Of course, anyone with a security clue has been saying UPnP is a BAD idea for a long time, but it used to be client side malware people were worried about, not well formed flash on any webpage...
Blessed are the pessimists, for they have made backups.