Wednesday, January 23, 2008

Intranet Hacking attacks found in the Wild

As covered by Dark Reading, CSO, and also Slashdotted: Its been 18 months since I presented “Hacking Intranet Websites from the Outside” (RSnake heavily credited) at Black Hat USA 2006 and coined the term “JavaScript Malware”, for the Symantec named variant “Drive-by Pharming” to be witnessed in the wild. Drive-by Pharming is an CSRF attack targeting a home user’s DSL router and updating its DNS settings. From then on all of the users traffic could basically be controlled by the attacker. Great for Phishing because its simple and effective. Apparently the bad guys thought so to. The Drive-by-Pharming attack has been spotted in an email e-card campaign targeting popular Mexican bank and where the router didn’t even have a password.

6 comments:

Anonymous said...

Greetings.
My name is Ivan. I live in Ukraine, having read your articles I began to look on another at an event near me.
Thanks big for your work.
My site mac cosmetics

Javier Liendo said...

here in mexico we have been blogging about this issue for almost a year now (my self, the UNAM-CERT, et. al.)

just to correct some facts: the issue is not that the dsl router doesn't have a password. the issue is that because of a vulnerability in the 2wire router (this is the router that the biggest dsl provider in mexico deploys) has a "hole" the size of a "whole galaxy" that allows anyone to configure the router even if it is password protected.

this is a really nasty bug and one that is exposing a couple of hundred thousand if not millions of users in this country.

Jeremiah Grossman said...

@Javier, thank you very much for the correction. MUCH better data.

Anonymous said...

Hi Jeremiah!

This was seen as early as the 10th or 11th of this month.

The email that was used in this attack also had a malcode attached using some then current news in Mexico about some narco operator.

More information here:

http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/

I hope this helps!

Anonymous said...

old, no news here for me

Eduardo said...

Funny thing, yesterday I was following the note on "drive by pharming attacks in the wild" in google and found your blog, later, at home I started reading the new issue of IEEE's "Privacy & security" magazine and I found an article and somewhere in the text I read the name Jeremiah Grossman, so I recall to have read your blog a few hours ago.

BTW I was following the note because I work at the UNAM-CERT and we found the so-called "first drive-by-pharming in the wild" attack.

Greets,
Eduardo.