Drive-By Pharming In the Wild

An anonymous reader writes "Symantec reported Tuesday that the first case of drive-by pharming, in which a hacker changes the DNS settings on a customer's broadband router or wireless access point and directs the link to a fraudulent Web site, has been observed in the wild. The first drive-by pharming attack has been observed against a Mexican bank: 'It's associated with an e-mail pretending to be from a legitimate Spanish-language e-greeting card company, Gusanito.com,' says Symantec Security Response principal researcher Zulfikar Ramzan. Inside the e-mail is an HTML image tag but instead of displaying images, it sends a request to the home router to tamper with it."

Definition?

[WarJolt]

What does "drive-by" have to do with this kind of hack? Oh sure we've all logged into neighbors wireless routers and snickered because they've left the default password. Somehow I think "drive-by" part was coined by a guy who thought of exploiting unsecured wireless routers and changing DNS settings. Am I the only one who doesn't think "drive-by" applies to this kind of attack?

British Telecom Home Hub

[ddrichardson]

Anyone else notice that BT are taking this seriously - log on to the router's home page and it tells you they have changed the default admin password (well it will when you enter the unit's serial number as the admin password.

Worse possibilities

[Pitr]

If you change the proxy settings on routers that have them, you could wreak all kinds of havoc, as you'd have access to all traffic, not just dns requests. Or, you could update the firmware to something custom, with all kinds of sneaky badness hidden within, including blocking future clean firmware updates.

It's a little extra work, but the companies that make these things should have unique passwords per device, or at least have logging into the admin interface wirelessly off by default. In an attempt to make things "just work" or "work right out of the box" security has suffered greatly.

Also, if people need to read one page of detailed instructions to make their new device work, it will give them at least some tiny education about security. If they can't handle that, then they can pay someone to set it up for them. There's really no excuse for openly offering up security holes this big.

Re:Enough with the default passwords.

[blair1q]

Because software can pop up a box on your screen saying "go look for the sticker on the box and type the letters and numbers (and maybe the dashes or maybe not, your guess is as good as ours) you see there into this box here then click the button that says 'OK'".

Hardware says "blink"..."blink"..."blink"... and user calls customer support, adding $10 to the cost of every sale.

Re:Enough with the default passwords.

[IdeaMan]

Using the LAN MAC address as the admin password is almost as stupid as using admin as the password.
LAN MAC address is burned into an EEProm at time of manufacture. It is also reset to "Factory Default" when you reset the box. It should be trivial to burn a randomized default password at the same time, store it in a database and print it on the manual.
If the customer calls up with an unresponsive router, customer service can read them the password out of the db.

Re:Biggest Mexican Bank?

[moco]

It was banamex, and the worm modified the target PCs hosts file. It wasn't even sophisticated enough to hack the broadband router... just a .exe file posing to be a greeting card.