Pharming attacks are generally network-based intrusions where the ultimate goal is to redirect a victim’s web traffic to a hacker-controlled webserver, generally through a malicious modification of DNS settings.
Some of these attacks, however, are starting to move to the web and have their beginnings with a spam or phishing email.
Researchers at Kaspersky Lab have been watching this trend for some time, reporting in September on a particular campaign in Brazil targeting home routers using a combination of drive-by downloads and social engineering to steal banking and other credentials to sensitive web-based services.
Messaging security company Proofpoint yesterday reported on the latest iteration of this attack, also based in Brazil. The campaign was carried out during a five-week period starting in December when Proofpoint spotted phishing messages, fewer than 100, sent to customers of one of the country’s largest telecommunications companies, Oi, also known recently as Telemar Norte Leste S/A.
Users were sent a phishing email warning them of a past-due account and providing them a link supposedly to a portal where they could resolve the issue. Instead, the websites host code that carries out a cross-site request forgery attack against vulnerabilities in home UTStarcom and TP-Link routers distributed by the telco.
The pages contain iframes with JavaScript exploiting the CSRF vulnerabilities if present on the routers. They also try to brute force the admin page for the router using known default username-password combinations. Once the attackers have access to the router, they’re able to change the primary DNS setting to the attacker-controlled site, and the secondary setting to Google’s public DNS.
“Setting a functioning DNS server as the secondary will allow DNS requests from clients in this network to resolve even if the malicious DNS becomes unavailable, reducing the chance that the user will notice an issue and contact their telecom’s Customer Support line for assistance, which could lead to the discovery and eventual removal of the compromise,” Proofpoint said in its advisory.
Via this method, the attacker bypasses the need to own public DNS servers in order to redirect traffic, and have an easier path to man-in-the-middle attacks, which they can use to sniff traffic, in this case for banking credentials, or email.
“It’s elegantly vicious,” said Kevin Epstein, vice president, advanced security and governance at Proofpoint. “It’s an attack that, based on the way it’s constructed, is almost invisible. There are no traces on the laptop other than the [phishing] email and unless you’re a security pro logged into the router and know what the DNS is supposed to be, you can look at it and not realize it’s been compromised.”
The best defense is to change the router password, especially if it’s still the default provided by the ISP.
The potential for trouble extends well beyond this small campaign in Brazil; any router secured with default credentials is susceptible to this attack and a plethora of others. Kaspersky researcher Fabio Assolini, who lives in Brazil, said he’s seeing an average of four new such attacks daily.
“It’s not a limited pharming campaign; it’s massive,” he said.
Router hacks have been a growing nuisance in the last 12 to 18 months, with more white hat researchers looking into the breadth and severity of the issue. Some cases, such as the Misfortune Cookie vulnerability in a popular embedded webserver called RomPager, have put 12 million devices, including home routers, at risk of attack. Last summer during DEF CON, a hacking contest called SOHOpelessly Broken focusing on router vulnerabilities, yielded 15 zero-day vulnerabilities that were reported to vendors and patched.
While in this case, the attackers targeted banking credentials for online accounts, Proofpoint’s Epstein said he can see that scope expanding.
“As far as motive, the [proof of concept exploits] we saw seem financially motivated, which is typical of most cybercrime, but the technique is generally applicable,” he said. “If you wanted to harvest a bunch of traffic for a DDOS attack or get into a company, this is a way to do it and gain complete man-in-the-middle control over the user.”