Drive-By Pharming with Cross-Site Request Forgery (CSRF)

1. Drive-By Pharming with Cross-Site Request Forgery (CSRF) Jake Engleman CIS 235 Fall 2009 Drive-by pharming is an interesting type of networking attack that combines multiple networking vulnerabilities and average user laziness to create an invisible destructive attack. The attacker uses CSRF to trick a user's router into accepting reconfiguration of its primary DNS server which later routes sensitive traffic (i.e. banking information) to the attacker's spoofed server. The attacker then has full use of the victim's information to withdraw money or engage in other havoc.

2. The Attack • Choose a common online website containing desired private user information and create an identical copy of this website on an attacker-controlled server. • Host a DNS server on an attacker-controlled server that redirects real website requests to the fake server. • Find the default router IP address and admin password or UPnP configuration details for a common consumer router. • Host a website or send an email to the user that tricks him into loading new configuration details for his router. When the user accesses this false email, his router will be reconfigured. • The user later goes to the wrong website, where the attacker can harvest his information. • The attacker then uses this information on the real site to steal the victim's money or private information.

3. Prevention For the user • Change the default password on the router. • Change the default address space of the router. • Purchase a router from a manufacturer doing what is described below. • Be wary of clicking untrusted links. For the router manufacturer • Add more randomization to default address space and default admin passwords. • Create router configuration web interfaces that require more human interaction than a simple POST/GET request. • Use authentication that does not blindly trust LAN devices. • Disable UPnP by default.