CUPERTINO, Calif. – Feb. 15, 2007 – Symantec Corp. (Nasdaq: SYMC) today announced that Symantec Security Response in conjunction with the Indiana University School of Informatics has uncovered a significant new security threat. In this attack, dubbed “Drive-by Pharming”, consumers may fall victim to pharming by having their home broadband routers reconfigured by a malicious web site. According to a separate informal study conducted by Indiana University, up to 50 percent of home broadband users are susceptible to this attack.
With traditional pharming, an attacker aims to redirect a user attempting to visit one web site, to another, bogus web site. Pharming can be conducted either by changing the host file on a victim’s computer or through the manipulation of the Domain Name System (DNS). Drive-by pharming is a new type of threat in which a user visits a malicious web site and an attacker is then able to change the DNS settings on a user’s broadband router or wireless access point. DNS servers are computers responsible for resolving Internet names into their real “Internet Protocol” or IP addresses, functioning as the "signposts" of the Internet. In order for two computers to connect to each other on the Internet, they need to know each other's IP addresses. Drive-by pharming is made possible when a broadband router is not password protected or an attacker is able to guess the password – for example, most routers come with a well-known default password that a user never changes.
“This new research exposes a problem affecting millions of broadband users worldwide. Because of the ease by which drive-by pharming attacks can be launched, it is vital that consumers adequately protect their broadband routers and wireless access points today,” said Oliver Friedrichs, director, Symantec Security Response.
Professor Markus Jakobsson of the Indiana University School of Infomatics emphasizes that this attack shows how important the human factor is in security “While drive-by pharming arises due to inadequate protective measures, there is also another human component: If an attacker can trick you into visiting his page, he can probe your machine. Deceit is not new to humankind, but it is fairly recently that security researchers started taking it seriously."
These fraudulent sites are an almost exact replica of the actual site so the user will likely not recognize the difference. Once the user is directed to the pharmer’s “bank” site, and enters their user name and password, the attacker can steal this information. The attacker will then be able to access the victim’s account on the “real” bank site and transfer funds, create new accounts, and write checks.
Symantec Security Response recommends that users employ a multi-layered protection strategy:
- Make sure their routers are uniquely password protected. Most routers come with a default administrator password which is easy for pharmers to guess.
- Use an Internet security solution that combines antivirus, firewall, intrusion detection, and vulnerability protection
- Avoid clicking on links that seem suspicious – for example, those sent to you in an email from someone you don’t recognize.
Existing security solutions on the market today cannot protect against this type of attack since drive-by-pharming targets the user’s router directly, and the existing solutions only protect the user’s computer system. Symantec’s Consumer Business Unit has been actively working on technologies to help address this problem using client-side technology. Symantec’s goal is to develop the means to automatically impede the attack by using a number of embedded techniques running on the client, embedded in the network stack, and in the browser.
The technical details of the attack are described in Indiana University Technical TR641 entitled “Drive-by Pharming” authored by Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson which is available from http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf.
The Symantec Security Response Blog also features a more detailed and technical summary of this attack and how to protect against it, along with a flash animation describing the attack step-by-step at http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html.
Symantec’s security experts will closely monitor further information related to this threat and provide updates as necessary.
Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a connected world. The company helps customers protect their infrastructure, information, and interactions by delivering software and services that address risks to security, availability, compliance, and performance. Headquartered in Cupertino, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com.
NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at http://www.symantec.com/news. All prices noted are in U.S. dollars and are valid only in the United States.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.