How to Protect Against a Drive-by Pharming Attack

Just when you thought you were safe with your new home or small office router and firewall, you suffer a drive-by. But it's not a drive-by shooting--it's pharming, a different kind of threat.


Drive-by pharming occurs when attackers create a Web page or e-mail that, when simply viewed, results in substantive configuration changes to a home broadband router or wireless access point. As a result, attackers gain complete control over the conduit by which the victim surfs the Web.

While drive-by pharming has serious implications and could affect millions of users worldwide, this kind of attack can be easy to defend against at the router level. In this article we will discuss how such an attack works and how users can best protect themselves.

How drive-by pharming works

First of all, attackers create Web pages or e-mails that include malicious JavaScript or HTML code. When the Web page is viewed, the code running in the context of the Web browser uses a technique known as "Cross-Site Request Forgery" to log in to the victim's home broadband router. Although most routers require a password for logging in, users often never bother to change the password from the original factory default. Upon successful log-in, the malicious JavaScript code can modify the router's settings.

Attackers can then change the user's DNS server settings, thereby dictating which DNS server is used. Even worse, attackers can get victims to use a server created solely for malicious purposes. These servers may contain bogus records that direct the victim's computer to browse to the wrong IP address.

To illustrate: Attackers could set up a fake Web site that looks just like a user's bank's Web site. Because the attackers control the user's router, they can redirect requests for the legitimate bank Web site to the fake Web site. The victim will find it very difficult to tell whether or not he or she has navigated to a legitimate site, as the address bar of the browser will specify the correct name of the bank. When the user logs in to access his or her bank account, this unwittingly gives attackers full access to the account.

As one can imagine, such an attack is potentially quite devastating. The attack could affect a large number of people for the following reasons:

(1) All one has to do is visit a Web page hosting malicious code. The victim doesn't have to click on or download anything. Simply viewing the Web page or e-mail could compromise a system.
(2) Many users fail to change the default password on their home broadband routers. In fact, some informal studies show that 50 percent of people fall into this category.

(3) 95 percent of Internet users enable JavaScript execution on their Web browsers. In fact, because almost all popular Web sites use JavaScript, it is necessary to make sure sites function properly.

How users can protect themselves.

Users can protect themselves by following a few simple rules. First, users should change the default password settings on the broadband router or wireless AP. Choosing a more complicated password will provide an added layer of security. Although people often dislike complicated passwords because they fear forgetting them, it is not an issue in this case. If the password is forgotten, restoring the default settings by performing a hard reset on the router will erase the old password and restore the factory default password. It is also wise to find out whether the router manufacturer has released any software patches to close any gaps in security.

In general, it is recommended that users reset their routers anyway before changing passwords. This step ensures that if users are already victims of a drive-by pharming attack, they can start with a clean slate at the router level.

Additionally, practice good Internet "street smarts." Users should stick to Web sites that are trustworthy and be careful when clicking on links people send-even if they appear to come from trustworthy sources. Because drive-by pharming attacks can come through e-mails as well, users should be especially wary of messages received from unrecognized senders. If the sender is not recognized or if the e-mail appears to be junk, we recommend deleting the message without viewing it.

Zulfikar Ramzan is currently a senior principal researcher with the Advanced Threat Research Group at Symantec. In this role, Zulfikar is at the forefront of identifying sophisticated computer security threats and trends approximately 12 to 18 months out. Prior to joining Symantec, he held positions as a senior research scientist and lead security architect at NTT DoCoMo USA Labs and IP Dynamics, respectively.

Dr. Ramzan's main interests include the practical and theoretical aspects of information security and cryptography. He has co-authored over 30 published research papers, over 15 patent applications and one book entitled "Crimeware: Understanding New Attacks and Defenses."

Ramzan received his S.M. and Ph.D. degrees from the Massachusetts Institute of Technology in Electrical Engineering and Computer Science with his thesis research conducted in cryptography and information security. He can be reached at