Thursday, February 15, 2007

The ultimate phishing accessory!

I'd long postulated that phishers and virus makers will hack ISP routers or re-write the hosts.txt files of home computers to divert traffic to counterfeit sites.


Now, it seems there is another possible vector - and it is a duh moment for me that I missed it - home routers.

This article explains in some detail how it can be done, and of course, the ability to log into far too many wireless routers using 'admin admin' as the username password combo is astounding:

Hack lets intruders sneak into home routers
Ability to change the settings of poorly configured home routers could put home networks at risk of serious attack.
By Joris Evers
Staff Writer, CNET News.com
Published: February 15, 2007, 3:33 PM PST

If you haven't changed the default password on your home router, let this recent threat serve as a reminder.

Attackers could change the configuration of home routers using JavaScript code, security researchers at Indiana University and Symantec have discovered. The researchers first published their work in December, but Symantec publicized the findings on Thursday.

The researchers found that it is possible to change the DNS, or Domain Name System, settings of a router if the owner uses a connected PC to view a Web page with the JavaScript code. This DNS change lets the attacker divert all the Net traffic going through the router. For example, if the victim types in "www.mybank.com," the request could be sent to a similar-looking fake page created to steal sensitive data.

"I have been able to get this to work on Linksys, D-Link and Netgear routers," Symantec researcher Zulfikar Ramzan said. "You can create one Web site that is able to attack all routers. My feeling is that it is just a matter of time before phishers start using this."


Imagine the possibilities! Without the alerts of phishing emails being sent, this hack can allow phishers to make the change, and sit back waiting for victims to show up. Indeed, they could even send phish with 'wrong' URLS, the actual whitelisted legitimate URL of a bank, which is the diverted by a hacked router to the phishing site. Nice work if you can get it.

No comments: