Is the "Drive-by Pharming" Attack Misnamed?

Any wireless Access Point (AP) that uses a default password is vulnerable to manipulation by anyone that can gain some form of connectivity to it. If the wireless AP's management interface is Web-based, it can be mimicked, and therein resides a problem waiting to happen.

If an intruder can craft a special Web page that mimics the functionality of an AP management interface, that Web page could take any action against an AP that's allowed by the management interface. So what's to stop an attacker from developing a Web page that, when viewed, changes any of the available AP settings? Not much, apparently.

Symantec researchers recently blogged about this very scenario, and they point out how an attacker might use this attack method to change DNS settings, which could lead to phishing scams. In the blog article, they wrote, "The attackers create a Web page that includes malicious JavaScript code. When the Web page is viewed, this code, running in the context of your Web browser, uses a technique known as 'Cross Site Request Forgery' and logs into your local home broadband router.... One simple, but devastating, change is to the user's DNS server settings."

Symantec chose to call this attack "drive-by pharming," and that bothers me. I saw several headlines about this attack type on the Internet before I read the Symantec blog, and I thought, "Oh great, another way to get in your car, drive around, find unprotected APs, and steal people's information." But this attack has absolutely nothing in common with war-driving. So Symantec introduced confusion with the attack name, and some media reports spread the confusion further.

Symantec would do well to stop confusing us about security problems with its use of misleading attack-type names. In the case of "drive-by pharming," the attack has nothing to do with being in close proximity to an AP (as is the case with war-driving) and is related to "pharming" only in that attackers could use the management interface vector to manipulate DNS to point to the DNS servers of their choice, which in turn could resolve certain host names to IPs that point to pharming sites.

The ability to attack someone's DNS settings could be exploited in a variety of ways, none of which Symantec bothered to mention. For example, an attack could install botnet software or other malware, spy on Web usage habits, intercept email, or intercept sensitive files for corporate espionage; the list goes on and on. It seems to me that misnaming attacks is itself a security problem because it misinforms people who might not have the time to delve deeper into the nuts and bolts behind a given title. I think Symantec should consider patching its naming methods. What do you think? Send me an email with your thoughts on this issue.

If you're interested in the Symantec report, you can read it at:

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.