Drive-by pharming is an interesting type of networking attack that combines multiple

networking vulnerabilities and average user laziness to create an invisible destructive attack. The

attacker uses CSRF to trick a user's router into accepting reconfiguration of its primary DNS server

which later routes sensitive traffic (i.e. banking information) to the attacker's spoofed server. The

attacker then has full use of the victim's information to withdraw money or engage in other havoc.

Jake EnglemanCIS 235

Fall 2009

The Attack1. Choose a common online website containing desired private user

information and create an identical copy of this website on an attacker-controlled server.

2. Host a DNS server on an attacker-controlled server that redirects real website requests to the fake server.

3. Find the default router IP address and admin password or UPnP configuration details for a common consumer router.

4. Host a website or send an email to the user that tricks him into loading new configuration details for his router. When the user accesses this false email, his router will be reconfigured.

5. The user later goes to the wrong website, where the attacker can harvest his information.

6. The attacker then uses this information on the real site to steal the victim's money or private information.

PreventionFor the user Change the default password on the router. Change the default address space of the router. Purchase a router from a manufacturer doing what is

described below. Be wary of clicking untrusted links.

For the router manufacturer Add more randomization to default address space and

default admin passwords. Create router configuration web interfaces that require

more human interaction than a simple POST/GET request. Use authentication that does not blindly trust LAN devices. Disable UPnP by default.