Security experts have discovered a new kind of computer attack that could affect millions around the world. A simple website can be made to manipulate household routers–used to connect multiple home computers to the Internet–so that scammers can gather personal information and passwords.
According to researchers from Indiana University and the antivirus software company Symantec, anyone with a little skill can search for vulnerable home routers and change critical settings so that real websites are secretly replaced with bogus pages asking for log-in information.
“The big problem is that you can’t immediately see that there is a problem,” says Sid Stamm, a Ph.D. candidate at Indiana University’s School of Informatics and one of the researchers on the project.
For example, an unknowing victim who types in the domain name of his or her bank might be greeted by a page that looks legitimate. But any log-in and password information that is entered on that page would go straight to the scammer.
At its core, the attack is an old ploy called pharming. But Stamm and his colleagues found a new twist: a Web page, they say, can be used to launch an attack against home routers and manipulate domain-name server settings. (There has been previous speculation that this kind of attack might be possible, but the researchers say they are the first to prove that a Web page can be used to reconfigure these particular settings on the router.) All the attacker needs is the user’s internal Internet Protocol (IP) address and the password for the configuration settings on the router. Both, Stamm says, can often be easily acquired in a remote, automated attack.
First, the attacker sets up a Web page to lure victims with popular content, such as celebrity photos, says Zulfikar Ramzan, a senior principal researcher at Symantec who also worked on the router project. While the victim views the pictures, unseen code nabs the user’s IP address and probes the router, looking for clues that might reveal its brand. A picture of the company’s logo, for example, is usually saved on the router. All this poking around doesn’t raise any red flags because the router thinks it’s all just legitimate requests for information from the victim’s home computer.
Once the attacker determines the router’s brand, he or she can often guess the configuration password because many people use the manufacturer’s default, Stamm says. While it’s not known exactly how many routers lack adequate configuration passwords, an informal study published last year in the Journal of Digital Forensic Practice found that 50 percent of home users with a broadband Internet router either opted for the default or didn’t have a password at all. (Routers have another optional password to stop outsiders from using a wireless network, and people frequently don’t employ that password system either. But it is the configuration password specifically that is used in this attack.)