Check out our previous article
Drive-By Pharming: How Clicking on a Link Can Cost You Dearly
I wanted to talk about a recent new attack, called Drive-By Pharming, which I co-developed with Sid Stamm and Markus Jakobsson of the Indiana University School of Informatics. It allows attackers to create a Web page that, simply when viewed, results in substantive configuration changes to your home broadband router or wireless access point. As a result, attackers gain complete control over the conduit by which you surf the Web, allowing them to direct you to sites they designed (no matter what Web address you direct your Web browser to).
I believe this attack has serious widespread implications and affects many millions of users worldwide. Fortunately, this attack is easy to defend against as well. In this blog entry, I’ll describe the attack, mention some prior related work, and then go over best practices.
How the attack works:
I’ll start with a high-level real-world analogy of this attack. Imagine that whenever you wanted to go to your bank, you picked up your phone directory, looked up the bank’s address, and then went there. Our attack shows a simple way that attackers can replace the phone books in your house with one that they created. Now, when you pick up that rogue phone book to get your bank’s address, it’ll actually give you the wrong address. At this wrong address, the attackers will have set up a fake bank that looks just like your bank. When you do business with this fake bank, you’ll give up all your sensitive bank account information. However, you’ll never realize that you were at a fake bank since you trusted the address that you got from what you thought was your legitimate telephone book.
Now, let’s go into a slightly more technical description. The attackers create a Web page that includes malicious JavaScript code. When the Web page is viewed, this code, running in the context of your Web browser, uses a technique known as ‘Cross Site Request Forgery’ and logs into your local home broadband router. Now, most such routers require a password for logging in. However, most people never change this password from the original factory default. Upon successful login, the JavaScript code changes the router’s settings. One simple, but devastating, change is to the user’s DNS server settings.
For those of you who are not familiar, the Domain Name System (or DNS) is the equivalent of the directory assistance service (or even a giant phone book) for the Internet. Every computer that’s directly accessible on the Internet has a unique Internet Protocol (IP) address. For example, something like 129.79.78.8. To access your bank’s Web site, your computer needs to know the IP address. Of course, it’s hard for us to remember these numerical addresses. Instead, we remember a simpler name like, www.my-bank.com. The Domain Name System actually has an entry (called a record) that associates www.my-bank.com with the IP address 69.8.217.90. In order to access this entry, we need to go to a DNS server. There are many such servers on the Internet. Normally, your Internet Service Provider (or corporate IT staff for enterprises) tells you what DNS server to use.
In our attack, the attackers can actually modify the settings on your home wireless router to dictate which DNS server you use. Even worse, they can get you to use a server that they created themselves. This server could have bogus records that tell your computer to go to the wrong IP address when you type in www.my-bank.com. The attackers can set up a fake Web site that looks just like your bank. Then, they can associate this fake Web site’s IP address with the address www.my-bank.com. Now whenever you think you’re going to your bank’s Web site, you’ll actually wind up at the attackers' site. You may never know the difference. In the meantime, the attackers have stolen your bank account information.
