In twist on the “If you build it, they will come” cliché, Symantec senior security research Zulfikar Ramzan says his company detected a new type of attack against bank customers, one that just a year ago Ramzan and researchers at the University of Indiana had theorized could be created. “We saw the building blocks out there a year ago, and said ‘This could happen,’” Ramzan says. “And just a week ago we saw the first incident of ‘drive-by pharming’ occur,” against a Mexican bank.
Here’s how it works: the programmer creates a piece of html code that appears in an email or on a Web page and looks to be calling an image. What’s really going on as the consumer views the image is the code is making a request to the victim’s broadband router using the default login information for the most popular brand of routers.
If the exploit guesses right and gains access to the router’s domain name server, it modifies the IP address the browser is directed to when certain popular bank Website URLs are typed in. “What’s really happening here is the attacker has taken over your Internet connection and can eavesdrop on whatever you type into the network,” Ramzan says.
Ramzan nicknamed the exploit drive-by pharming because users can pick up the malicious code while innocently surfing the Web or opening an email (drive by) and because it attacks the integrity of the DNS (pharming).
Drive-by pharming is more nefarious than other man-in-the-middle or keylogging Trojans because anti-virus and anti-malware scans cannot detect it, Ramzan says. It’s more lethal than typical phishing attacks because if the user happens to look at the URL it appears to be the appropriate address.
“If done correctly this attack would circumvent all of the major authentication technologies I know of,” Ramzan says.
The defenses aren’t quick fixes. Users need to reset their routers and change the password from the default setting. Bank security technology would need to tweak back-end monitoring to detect and block Web sessions bearing these hallmarks, Ramzan says.