TechRepublic : A ZDNet Tech Community

Mobile Enterprise

Host: Bill Detwiler
Contact

The first real-world occurrence of drive-by pharming has finally been observed and substantiated. In reality it was only a matter of time as this type of attack was made public in 2006 as a white paper written by three security researchers associated with the Indiana University School of Informatics. The potential for individual identity theft by any other pharming and phishing attack venue pale in comparison to drive-by pharming. The simplicity by which the attack can be carried out is quite alarming.

How the attack works

All computers have an Internet Protocol (IP) address and a Fully Qualified Domain Name (FQDN) that are used to uniquely identify them. Domain Name System (DNS) servers are then used to associate the user-friendly FQDN with the computer-required IP address. The specific DNS servers used for Internet associations are published by the network’s DHCP server—usually integral to the perimeter router—and broadcast for use by the computers on that specific network.

By using computers poisoned with erroneous FQDN/IP address associations provided by hostile DNS servers, it then becomes easy to see how a person could unknowingly be viewing a hostile website that has been developed to mimic the real one. Once at the hostile website, the attack venue becomes similar to most other identity-theft attacks, asking the user to supply personal information.

The new twist

Typical phishing or pharming attacks try to get unsuspecting users to go to hostile website by clicking on links in email or through links in official websites that have been subverted. The attack venues used with drive-by pharming can also be email or websites but with different results. Activating embedded HTML image tags in email or websites normally displays an image, but activating HTML image tags used in drive-by pharming attacks alters the perimeter router’s configuration instead. Specifically, the process changes the IP addresses of the correct DNS servers to IP addresses of hostile DNS servers which then provide incorrect information.

Drive-by pharming is especially deceptive because the decision-making process is removed. Thus making it virtually silent, as the only sign of something wrong is if the hostile website is recognized as an inaccurate representation of the actual website.

Best defense

Unlike most identity-theft attack venues, the defense against drive-by pharming is quite simple. All that is necessary is to change the default password on the router or internet perimeter device that is also acting as the DHCP server. Symantec has a Flash-based animation that does a nice job explaining the attack and how to avoid it. Hopefully this will be one more reason for everyone to change default device configurations.

Presently, my professional responsibilities are as a Network Field Engineer for Orange Business Services, a world-wide IT service organization. The certifications I have at this time are Network+, Internet+, CWNA, CWSP, ISO 9001:2000 Auditor and finally my amateur radio license K0PBX. Being asked to become a writer for TechRepublic and a guest speaker at local universities are two very special highlights of my professional life.

Print/View all Posts Comments on this blog

Who is responsible? Michael Kassner | 01/26/08
We are Mond0 | 01/29/08
Question Michael Kassner | 01/30/08
absolutely catseverywhere@... | 01/31/08
Default passwords JoeBeckner | 01/31/08
Good Point Michael Kassner | 01/31/08
Not my customers - not on my watch.. JCitizen | 01/29/08
Question Michael Kassner | 01/30/08
I think congress needs to pass a fairly strict privacy law... JCitizen | 01/30/08
good tip catseverywhere@... | 01/31/08
Safe@Office sold by CheckPoint is one... JCitizen | 01/31/08
I should have answered you directly in the first place.. JCitizen | 01/30/08
No Problem at all Michael Kassner | 01/31/08
Well, you put out a top notch article here Michael! Thanks! JCitizen | 02/01/08
New but unconfirmed information Michael Kassner | 02/02/08
That article was greatly appreciated as well... JCitizen | 02/03/08
Thanks Michael Kassner | 02/04/08
The bad guys are smart, too Mond0 | 02/04/08
I can't add to your list on the local system unit anyway... JCitizen | 02/04/08
Speaking of routers and firewalls Mond0 | 02/05/08
If I remember correctly Dumphrey has used Smoothwall.. JCitizen | 02/05/08
A good point Michael Kassner | 02/06/08
Ah, yes Mond0 | 02/06/08
Sorry Mondo, I didn't repeat what I had said earlier... JCitizen | 02/06/08

What do you think?

White Papers, Webcasts, and Downloads

Recent Entries

TR on Twitter

Top Rated

    Archives

    TechRepublic Blogs



    Recovering Windows Clients
    Part of your job is to make sure that your users' PCs are healthy and reliable. Learn how to use tools such as the Windows 2000 Recovery Console and Windows XP Pro's Automated System Recovery to deal with system failures.
    Buy Now
    Administrator's Guide to TCP/IP, Second Edition
    Maintain your critical TCP/IP system and ensure reliable, safe remote access. Get the expert advice and solutions to handle Windows networking, Cisco routing, documentation, and troubleshooting.
    Buy Now

    SmartPlanet

    Click Here
    advertisement
    Click Here