Pharming by DNS

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
Post Reply
User avatar
Neo
RouterTech Team
RouterTech Team
Posts: 3586
Joined: Thu Jan 26, 2006 1:09 pm
Contact:

Pharming by DNS

Post by Neo » Tue Feb 12, 2008 3:26 pm

This issue has been popping up in the press recently, so I feel it should at least be mentioned here.

An increasingly common tactic used by criminals is to replace the DNS settings on routers with their own infected server addresses. This in turn allows them to redirect unwitting users to fake websites - making it possible to steal online banking details and other personal information.

Previously, the worst 'attack' by a hacker might have been (for example) a reset of your router - frustrating but not very serious.

The recent attack on Mexican 2Wire router users was carried out via spam emails and exploited a URI injection vulnerability to gain access to the routers.

To minimise the chance of being attacked in this way:
  • Set a decent admin password for your router - at least 8 characters and ideally using random characters rather than real words.
  • Disable as much WAN-side access as you can (using the 'Access Control' in Class II routers). Only enable WAN-side services if you have to.
  • Consider setting up DNS details on the PCs connected to your router so that the PCs do not rely on the router for DNS resolution.
  • Verify security certificates for any important websites you visit
  • Avoid opening spam and visiting dodgy websites
More:
http://www.theregister.co.uk/2008/01/23 ... n_the_wild
http://blogs.computerworld.com/beware_y ... y_pharmers
Last edited by Neo on Fri Feb 22, 2008 6:11 pm, edited 1 time in total.
RouterTech Team and Founding Member
Image
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
Alex Atkin
Novice
Novice
Posts: 37
Joined: Fri Feb 09, 2007 6:39 am

Post by Alex Atkin » Tue Feb 12, 2008 7:17 pm

Very interesting indeed.

Considering the poor security of many routers which leave WAN access wide open I am actually kinda surprised this didn't become a major issue a long long time ago.

Personally, I DO use my 2Wire BT2700HGV for DNS resolution as I use it to DNS spoof sites on my LAN, such as when testing out sites locally temporarily spoofing the REAL domain name. I used to do this using a Linux box but it meant the Internet was down for the whole LAN when I had to take down the Linux box, using the router avoided this problem.
It does give me something to think about though, obviously I was always aware the potential for other people to do the same thing but like you said - its a matter of IF they are actively doing it and its of concern if they now are.

One things for sure, it will be essential to use fixed DNS on your laptop when using public WiFi points now. Obviously it was always a good idea to do that as the host could have spoofed DNS themselves, but its even moreso now that people have realised how easy it is to do.
cb
Novice
Novice
Posts: 30
Joined: Sat Apr 12, 2008 9:40 pm
Location: Newcastle-under-Lyme

Post by cb » Sun Apr 13, 2008 3:24 pm

Although it's mentioned in the articles referenced, I think it's worth reminding people (particularly if they feel their WAN interface is secure) that as far as your router is concerned, these DNS reconfiguration "attacks" are coming from the LAN, not the WAN.

http://www.symantec.com/enterprise/secu ... ing_1.html

Your PC on the LAN may come across a bad guys website (or perhaps view an HTML email) and that will cause your browser to reconfigure your router, from the "inside" as it were.

Long random passwords are always recommended, but remember if you've already logged into your router, then open another tab/browser to surf, and happen to reach a malicious website, the attacker doesn't need to login to your router as it's already authenticated.

Furthermore, the telnet/ssh interface of the router only checks up to the first 8 characters in a password, so it's possible if malicious software gets onto your PC, the router could be attacked by using telnet/ssh. With security, it never hurts to be paranoid; A password of "secret123guDF5-w!" is only as safe as "secret12" when using telnet/ssh in this case. On the other hand, these attacks will probably only go after common, factory set passwords, rather then try to actively crack them.

PS - Thanks to everyone at RouterTech for the brilliant software. I've just bought an SAR-600EW and flashed it to version 2.5, no doubt I'm going to waste many more hours in front of a PC playin^H^H^H studying it!
mikechrich
Newbie
Newbie
Posts: 1
Joined: Wed Mar 24, 2010 5:01 am

Re: Pharming by DNS

Post by mikechrich » Thu Mar 25, 2010 8:41 am

Thank you for providing with information. Are these Pharming attacks similar to the phishing? As i constantly use internet over my laptop, what kind of software i have to install so that i can keep myself safe from these bad guys.
The harder you fall, the higher you bounce.
Post Reply