Drive-by pharming poses security risk

Symantec has warned of a JavaScript-based attack threatening people who don't change their router passwords
Written by Graeme Wearden, Contributor on

A new threat called drive-by pharming, in which a cyberattacker takes control of a user's home router, has been identified.

Security firm Symantec warned earlier this week that drive-by pharming could allow a malicious attacker to steal a user's bank details. Anyone who hadn't changed the default password on their router would be at risk, Symantec claimed, and could fall victim without having to choose to download and run anything. The JavaScript-based exploit is also independent of operating system.

Zulfikar Ramzan, senior principal security researcher at Symantec, outlined drive-by pharming in a post on the company's website.

He explained that Symantec had discovered the threat in partnership with the Indiana University School of Informatics, which has calculated that up to 50 percent of home users could be at risk.

To execute a drive-by pharming attack, a malicious hacker would have to create a web page that contained specially crafted JavaScript code. If a user who visited the page had enabled automatic running of JavaScript, then this code would attempt to change the settings in their router. If the router had no password or was still using the default password it shipped with, then the JavaScript will send the router a string to change the domain name system (DNS) settings on the router.

The DNS system uses resolvers — servers on the internet — to translate domain names to IP addresses, allowing a user to type in the name of the website they want rather than remembering its precise IP address.

By hacking the router's DNS settings, the JavaScript would redirect it to a DNS server that was run by the attackers themselves. This would allow them to serve fake versions of banking sites, which would appear to be totally genuine and would have a completely genuine URL. If a user typed in www.my-bank.co.uk, for example, they would get a false version — allowing the attacker to steal their log-in details.

Ramzan warned that users could easily fall victim to this attack.

"All you have to do to become a victim is simply visit the web page that hosts this malicious code. You don't have to click OK on any dialogue boxes or accidentally download and install malicious software. Simply viewing the page in question is enough to cause the necessary damage," Ramzan wrote. The company advised that the simplest way to defeat the problem was to change the router password.

Editorial standards