First case of “drive-by pharming” identified

It was just a matter of time before we started to see this pop up but “drive-by pharming” is now just starting to be discovered. In this case a user received an email from a spoofed “e-greeting card” company with an embedded HTML image tag. Once the code is launched, it manipulates the DSL router configuration (specifically 2Wire routers) using default login credentials. The article doesn’t say but it most likely manipulates the default DNS settings on the router to point to a “fake” DNS server. Once this happens, the attacker can forward you to things like fake banking sites (ones that look just like yours).

Scary time to be a DSL/cable modem customer! With this and recent security issues with UPnP, now more then ever is the time to change that default password and disable UPnP. Luckily, these are all simple security measures that can easily fix the problem. However, who is going to teach customers who buy these routers how to properly secure them? The vendor? I doubt it. The ISP? Even more doubtful! It’s up to us as security professionals to spread the word about these dangers and to encourage good security practices with our non technical, non security minded friends and family.

2 thoughts on “First case of “drive-by pharming” identified”

  1. True. Guess I should have clarified that UPnP should be disabled if your router supports it. 2wire would be vulnerable to the drive-by pharming attack if the router still had the default password.

Leave a Comment

Your email address will not be published. Required fields are marked *