Prior to its discovery in the wild in 2008, drive-by pharming was a concept proposed by Symantec experts and faculty at the Indiana University School of Informatics. The whitepaper that resulted identified a weakness among inexpensive broadband routers that, if used out-of-the-box without basic configuration, could lead to malware infection, denial of service attacks, and in some cases, identity theft. Standard safeguards include changing the router’s default password and utilizing a combination of advanced DNS protection.
A drive-by pharming attack typically begins with a scan of the user’s home or small network. Once the router’s default password is detected, the DNS settings are modified to redirect all future requests. In effect, each DNS query is resolved by a forged DNS server, which directs all Internet traffic regardless of user input. The same strategy is employed when drive-by pharming targets and replaces a router’s firmware. In these cases, routers are used to host malicious web pages that install traditional malware without explicitly being downloaded.
Though malware and other atrocities are the end result of a drive-by pharming attack, its strategies are mostly based on deception. For example, phishing is used to deceive the user in believing a website or electronic communication is trustworthy (as in the case of the unnamed Mexican bank above). But routers and other hardware are also deceived when their IP addresses are replaced to redirect users to undesired websites. Among these tactics is domain spoofing, in which a user is redirected to another site with the URL in the address bar masked to show the user’s original request. Domain spoofing makes drive-by pharming difficult to detect. All the while, an aggressive strategy to obtain a user’s personal or private data may be underway.
Experts suggest that many people who use a variety of security measures are misled to believe their network is safe from drive-by pharming attacks. Corporate networks, they argue, are not as vulnerable as they are more professionally managed. For example, firewalls, anti-spam filters and other popular safeguards employed by non-technical users are subject to failure, which may actually amplify their network’s vulnerability. Even encrypting traffic through Wi-Fi Protected Access (WPA) isn’t enough to ward off drive-by pharming infections. Instead, precautionary measures are to simply change your router’s default password, and to disable its remote administration capability if it is not required.
There are also steps a user can take to avoid pharming, in general; like precautionary and responsible use of the Internet. This includes secured HTTP and verifying a site’s authenticity via its certificate. It also includes basic visual similarity-based detection, like checking the email address on questionable inbox messages, and hovering over submit/action buttons (to see where they lead to) prior to clicking them.