Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drive-By Pharming In the Wild

Posted by kdawson on from the just-change-the-default-password-already dept.

An anonymous reader writes "Symantec reported Tuesday that the first case of drive-by pharming, in which a hacker changes the DNS settings on a customer's broadband router or wireless access point and directs the link to a fraudulent Web site, has been observed in the wild. The first drive-by pharming attack has been observed against a Mexican bank: 'It's associated with an e-mail pretending to be from a legitimate Spanish-language e-greeting card company, Gusanito.com,' says Symantec Security Response principal researcher Zulfikar Ramzan. Inside the e-mail is an HTML image tag but instead of displaying images, it sends a request to the home router to tamper with it."

7 of 205 comments (clear)

  1. Captcha? by tedhiltonhead · · Score: 5, Informative

    It sounds like a simple captcha image on the router's login page would thwart this.

  2. Biggest Mexican Bank? by xtracto · · Score: 5, Informative

    2Wire DSL routers to point the user's Web browser to a fraudulent bank site that mimics the site of one of the largest Mexican banks.

    There is not much space to guess here, it is either Banamex or Bancomer...

    --
    Ubuntu is an African word meaning 'I can't configure Debian'
  3. Definition? by WarJolt · · Score: 5, Interesting

    What does "drive-by" have to do with this kind of hack? Oh sure we've all logged into neighbors wireless routers and snickered because they've left the default password. Somehow I think "drive-by" part was coined by a guy who thought of exploiting unsecured wireless routers and changing DNS settings. Am I the only one who doesn't think "drive-by" applies to this kind of attack?

  4. Idiots with default passwords get pwnd, news at 11 by Anonymous Coward · · Score: 5, Insightful

    nothing to see here... move along, folks

  5. Pharming??? by jez9999 · · Score: 5, Funny

    Will these terrible names, which apparently attempt to draw an analogy between a computer-related misdemeanor and some agricultural pastime, never end? I'm just waiting for some guy from F-Secure to call porn 'phucking'.

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
  6. Let me explain by Pasajero · · Score: 5, Informative

    I live in Mexico, and yes, the bank name is Banamex (owned by Citibank) and this is how the hack works:

    The most prominent ISP in Mexico (Telmex) uses 2wire gateway modems, most of them wireless enabled. Security is turned on by default using serial numbers so no one from outside can login "easily".

    However, there is no default security from the inside, so the gusanito.com postcard contains a malicious flash program that sends a special URL to the modem that adds a DNS entry to its local name resolution table pointing www.banamex.com to a pharming site.

    Next time you open IE or any other browser and open www.banamex.com you'll get redirected to the other site.

    This easily solved putting a user password on the modem configuration, but not all people care to do that.

  7. Re:Enough with the default passwords. by crymeph0 · · Score: 5, Informative

    It's easier to change what gets stamped into a cd than what gets set into the silicon

    Nope. I do embedded software, and write the test suite all those devices go through before being shipped to the customer. It's pretty standard to set custom stuff at that time, including the MAC ID for the unit. It would be just as easy to change the password at that time.

    Your comment about the CD key, however, is right on.

    --
    It should be illegal to say that freedom of speech should be limited.