I had the "privilege" of seeing a scary exploit the other night …..
In essence it was a variation on the idea of "pharming" where a hacker attempts to redirect traffic legitimate website traffic to a different, fraudulent, website – the most common use of this exploit is to re-direct traffic destined for on-line financial site in order to harvest user names, passwords and other security credentials. There are a number of ways this type of attack can be executed.
The first, and simplest method is to compromise the hosts file on the user's PC. The hosts file is a reminder of ARPANET, the predecessor of the Internet, which did not have a domain name system for resolving network names. Instead each node held its own records of other nodes that it needed to know about and this is what is contained in the hosts file. An entry contained in the hosts file will override the need to look up an address using the domain name system.
In order to execute an attack the hacker needs to modify the host file; something which can be achieved by enticing the user to download a small piece of malware to their computer – this malware would then modify the hosts file with the name of the site that they wished to direct and the bogus IP address that they wished to redirect it to .
The second way of executing a pharming attack is to use a technique call DNS cache poisoning – this is where the hacker compromises a DNS server by exploiting a flaw in the DNS server software and cause the DNS server to accept bogus information. By doing this the DNS server will then provide an incorrect IP address for a given name and direct users to the attacker's web site.
The third way uses malicious code to reconfigure the DNS settings of a user's home router, this is also called a "Drive by" pharming attack. If you look at the configuration of your home router somewhere in its configuration you will usually find references to primary and secondary DNS servers – these parameters are usually set to whatever your ISP provides but, even when your ISP has provided the configuration, it is possible to change these settings.
In this attack, the hacker changes these DNS settings so that any attempt to resolve names is not sent to the ISP's DNS server but to a DNS server controlled by the hacker. Thus, the hacker is able to provide whatever address he chooses and redirect the traffic to another server under his control. Thus an attempt to access the Natwest web site (www.natwest.com) could result in the user being redirected to a bogus server offering web pages that look particularly like the genuine site – allowing the hacker to collect online banking credentials.
So, what can you do to protect yourself – here are some simple tips.
Does the web site display in your browser look genuine? If it is something sensitive like an online banking site, it is using HTTPS (the padlock symbol is most browsers).
If the site is using HTTPS did you get a certificate warning? If you get a certificate warning you should never, ever proceed.
Does the site seem to be asking for too much information? Most online financial institutions have a user name, password and several pieces of memorable information. If the site that you have connected to wants you to provide all of this information in one hit then it is not the genuine article. Likewise, if the site you have connected to is asking you to type your complete password when you would normal select specified characters from a drop down list or click keys on an on screen keyboard, it is not the genuine article either.
Change the default administrative user name and / or password on your home router.
Good luck – and stay secure.