The first real-world occurrence of drive-by pharming has finally been observed and substantiated. In reality it was only a matter of time as this type of attack was made public in 2006 as a white paper written by three security researchers associated with the Indiana University School of Informatics. The potential for individual identity theft by any other pharming and phishing attack venue pale in comparison to drive-by pharming. The simplicity by which the attack can be carried out is quite alarming.
How the attack works
All computers have an Internet Protocol (IP) address and a Fully Qualified Domain Name (FQDN) that are used to uniquely identify them. Domain Name System (DNS) servers are then used to associate the user-friendly FQDN with the computer-required IP address. The specific DNS servers used for Internet associations are published by the network’s DHCP server—usually integral to the perimeter router—and broadcast for use by the computers on that specific network.
By using computers poisoned with erroneous FQDN/IP address associations provided by hostile DNS servers, it then becomes easy to see how a person could unknowingly be viewing a hostile website that has been developed to mimic the real one. Once at the hostile website, the attack venue becomes similar to most other identity-theft attacks, asking the user to supply personal information.
The new twist
Typical phishing or pharming attacks try to get unsuspecting users to go to hostile website by clicking on links in email or through links in official websites that have been subverted. The attack venues used with drive-by pharming can also be email or websites but with different results. Activating embedded HTML image tags in email or websites normally displays an image, but activating HTML image tags used in drive-by pharming attacks alters the perimeter router’s configuration instead. Specifically, the process changes the IP addresses of the correct DNS servers to IP addresses of hostile DNS servers which then provide incorrect information.
Drive-by pharming is especially deceptive because the decision-making process is removed. Thus making it virtually silent, as the only sign of something wrong is if the hostile website is recognized as an inaccurate representation of the actual website.
Unlike most identity-theft attack venues, the defense against drive-by pharming is quite simple. All that is necessary is to change the default password on the router or internet perimeter device that is also acting as the DHCP server. Symantec has a Flash-based animation that does a nice job explaining the attack and how to avoid it. Hopefully this will be one more reason for everyone to change default device configurations.