720-891-1663

Phishing? Pharming? Don’t these guys know how to spell?

Network World wrote about an interesting attack that is – at least in this case – very simple to fix.

First, what is Pharming.  When you go to your browser and type in www. foo.com, you are trusting the browser to actually send you to foo.com.  What if it really sent you to badfoo.com?  Badfoo.com is designed to look very much like foo.com, except maybe, it loads malware on your computer or maybe captures your userid and password to your banking site.

In this particular attack, the attacker sent out a bunch of emails that were a phishing attack.  If the user clicked on the link, it directed the user to a site that compromised their home Internet router.  From that point, the malware tries the default userid and password for the router and if the user has not changed the password, the malware is able to make changes to the configuration of the router.  Specifically, it changes the setting for what is called the DNS server.  The DNS server is that part of the internet that converts the web site that you put in your browser into the numbers that the Internet actually understands.

For example, if I type in WWW.WELLSFARGO.COM, what my browser needs to know is that the address for that web site is 159.45.170.42 .  The DNS server does this translation.

What the malware does, in this case, is change the DNS server from your Internet provider’s server to one controlled by the hacker.  Now, if the hacker wants to create his own web site for Wells Fargo, he can, and your browser will happily send you there.  This address translation affects your email and most every other form of internet traffic.

The hacker could achieve the same result by hacking your Internet provider’s DNS servers, but that is likely well protected, while your home router is not.  In addition, your Internet provider will eventually detect that their DNS server has been hacked while you likely will never detect that your home router has been attacked.

Being able to change your DNS server address is joyful for the hacker and really sad for you.

This particular attack is based on two things.  First, a bug in your home internet router that has not been patched and second, the fact that 99 percent of the planet does not change the default password that comes with the router.

All you need to do in order to thwart this – and a whole bunch of other – attacks is change the default password.  While this won’t make you younger, better looking or richer, this simple change will help keep the bad guys out.

Changing the password also applies to any other Internet connected device that you have in your home – TV, refrigerator, washer.  It is amazing what is connected to the Internet these days.  All of those smart devices are connected to the same network as your laptop or your nanny cam that is watching your baby.  Hack your refrigerator and they have a toe hold to the rest of your network.  That is EXACTLY how the Target and Home Depot attacks started.  Seriously.  So, if you have not changed the password of all Internet connected devices since they came out of the box, I recommend you do so now.

Mitch

 

Facebooktwitterredditlinkedinmailby feather