A relatively NEW concept is Pharming...which for the thief ends up being slightly easier...because they don't have to trick you into clicking a link...Pharming works by modifying your computer's DNS settings or by modifying your HOSTS file to automatically redirect your Internet requests to the fake page that they've created...so that when you type in www.mybank.com you go to their version instead of the real one...which makes it a lot more likely for you to enter your sensitive information.
Most AV programs will protect your HOSTS file and your DNS settings so Pharming hasn't really taken off. But a new discovery by symantec and the university of Indiana proves that this may no longer be the case. All you have to do is hijack the router's DNS settings and you're in business. Read on:
[quote name='http://www.appscout.com/2007/02/change_your_router_password_no_1.php#more']
I get tons of press releases about this-or-that brand new security threat. Most of them aren't nearly as scary as they're hyped to be, and the solution is almost invariably "buy our product!" But today I heard about a new threat discovered by Symantec and Indiana University that could be a real doozy. It's especially pernicious in that normal security software doesn't detect it. But you don't have to buy anything to protect yourself. That's doubly unusual.
The attack is based on pharming, which, like phishing, is a way bad guys trick you into visiting fake web sites. Where phishing fools you-the-user, pharming fools your computer. It does this by compromising your system's access to the DNS (Domain Name Server) system. When you type www.mybank.com, DNS translates that into the correct IP address. But if you've been pharmed, it'll translate to the fake site's IP address, and you won't know the difference. One simple pharming attack involves tweaking the computer's HOSTS file, which overrides server-based DNS. That's not such a biggie, because your security software protects the HOSTS file. A bad guy with physical access to your home network might change the DNS settings in the router, directing DNS requests to a black-hat server. But get real - do you let bad guys come in and use your network?
So what's the new problem? Professor Markus Jacobsson of Indiana University has done a lot of research on router vulnerabilities. Jeremiah Grossman of WhiteHat Security gave a talk at the Black Hat conference last year on Javascript malware. Zulfikar Ramzan of Symantec Security Response put the two pieces together... and realized that it's possible for Javascript on a web site to modify your router's DNS settings.
THIS IS ALARMING! Symantec is calling this type of attack "drive-by pharming". Just by visiting a site you could be letting hackers take control of just what site you reach when you type www.mybank.com. You wouldn't necessarily notice anything wrong, and there's nothing left behind for a security program to find.
Just when I was starting to hyperventilate, Ramzan cranked down the scare factor a bit. There is no evidence that this technique is currently in use. On the other hand, proof-of-concept scripts show it's 100% possible. I asked whether Symantec would be updating its security products to block this attack. Surprisingly, Ramzan said that may not be necessary. ...
[/quote]
Moral of the story? CHANGE YOUR ROUTER'S ADMIN PASSWORD...
supplemental info: http://www.symantec....clicking_1.html
Sign In
Create Account
