Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Teach a man to Phish and he'll eat for a day,

  • Please log in to reply



    Je suis Napoléon!

  • Community Leader
  • 26,047 posts
  • MVP
By now we all know what phishing is. Phishing is when someone convinces you to go to a site that looks EXACTLY like a legitimate site (such as your bank)...but isn't...then POOF they've got all your info and you've got none of your money.

A relatively NEW concept is Pharming...which for the thief ends up being slightly easier...because they don't have to trick you into clicking a link...Pharming works by modifying your computer's DNS settings or by modifying your HOSTS file to automatically redirect your Internet requests to the fake page that they've created...so that when you type in www.mybank.com you go to their version instead of the real one...which makes it a lot more likely for you to enter your sensitive information.

Most AV programs will protect your HOSTS file and your DNS settings so Pharming hasn't really taken off. But a new discovery by symantec and the university of Indiana proves that this may no longer be the case. All you have to do is hijack the router's DNS settings and you're in business. Read on:

[quote name='http://www.appscout.com/2007/02/change_your_router_password_no_1.php#more']
I get tons of press releases about this-or-that brand new security threat. Most of them aren't nearly as scary as they're hyped to be, and the solution is almost invariably "buy our product!" But today I heard about a new threat discovered by Symantec and Indiana University that could be a real doozy. It's especially pernicious in that normal security software doesn't detect it. But you don't have to buy anything to protect yourself. That's doubly unusual.

The attack is based on pharming, which, like phishing, is a way bad guys trick you into visiting fake web sites. Where phishing fools you-the-user, pharming fools your computer. It does this by compromising your system's access to the DNS (Domain Name Server) system. When you type www.mybank.com, DNS translates that into the correct IP address. But if you've been pharmed, it'll translate to the fake site's IP address, and you won't know the difference. One simple pharming attack involves tweaking the computer's HOSTS file, which overrides server-based DNS. That's not such a biggie, because your security software protects the HOSTS file. A bad guy with physical access to your home network might change the DNS settings in the router, directing DNS requests to a black-hat server. But get real - do you let bad guys come in and use your network?

So what's the new problem? Professor Markus Jacobsson of Indiana University has done a lot of research on router vulnerabilities. Jeremiah Grossman of WhiteHat Security gave a talk at the Black Hat conference last year on Javascript malware. Zulfikar Ramzan of Symantec Security Response put the two pieces together... and realized that it's possible for Javascript on a web site to modify your router's DNS settings.
THIS IS ALARMING! Symantec is calling this type of attack "drive-by pharming". Just by visiting a site you could be letting hackers take control of just what site you reach when you type www.mybank.com. You wouldn't necessarily notice anything wrong, and there's nothing left behind for a security program to find.

Just when I was starting to hyperventilate, Ramzan cranked down the scare factor a bit. There is no evidence that this technique is currently in use. On the other hand, proof-of-concept scripts show it's 100% possible. I asked whether Symantec would be updating its security products to block this attack. Surprisingly, Ramzan said that may not be necessary. ...


supplemental info: http://www.symantec....clicking_1.html
  • 0


Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP