Drive-by Pharming can hijack home routers warns Symantec

The Symantec Security Response Blog has posted a warning to broadband users: change your router's default password or be the victim.

A new attack called Drive-by Pharming means that home broadband routers are reconfigured by malicious websites with special code. When someone visits to one of those sites the code will attempt to reconfigure some popular consumer broadband routers by using known default passwords.

The changes affect the DNS addresses, used by computers to resolve internet names to IP addresses. The attacker can hijack the DNS configuration on the router and redirect users to websites that look like valid locations, but are actually phishing traps, used to capture secret information such as login and passwords used to communicate with banks, credit cards or e-mail servers.

Pharming can be conducted either by changing the hosts file on a victim’s computer or through the manipulation of the Domain Name System (DNS). The hosts files is a local repository that overrides the information supplied by DNS servers.

The technical details of the attack are described in Indiana University Technical TR641 entitled “Drive-by Pharming” authored by Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson which is also available from Symantec.