Pharming is a technique where attackers use modified DNS Servers to redirect address requests (typically for banking websites) to a realistic looking but entirely fake website, for the purpose of collecting banking information without the knowledge of the customer. Previously, this was done simply by waiting until a victim triggered a particular DNS lookup, which could then be re-routed to the fake server. However, early this year, the FraudWatch International Malware team started noticing that much more deliberate attacks are occurring, whereby cyber-criminals are utilising phishing emails to enhance their hit rate.

How is the attack occurring?

The targeted victims were sent an email claiming to be from a well-known Brazilian bank, which contained a link that was allegedly directing to their banks site so they could log in. The link actually delivered a malicious javascript that attempted to bruteforce entry to the victims router with common username and password combinations, often the default settings. Once the script succeeds in compromising the router, it is reconfigured to direct traffic via a malicious DNS server.

Actual Banking Website
Fake Banking Website

A compromised router will then discretely direct traffic via the malicious DNS server. This attack will direct the victim to a phishing site when they attempt to visit their bank’s site, even when they manually type the address.

The victim will also be directed to the same fraudulent IP address when they attempt to perform an nslookup on their banks domain, that is, when they query DNS records to try and map the domain name to an IP address.

Malicious Java Script
DNS Lookup

How can you protect yourself?

When you sign up for Internet access with an Internet Service Provider (ISP), quite often they will offer you a wireless router to assist you in connecting multiple PCs or smart devices onto your own private Local Area Network (LAN). Whilst this seems like a great idea, there are some risks involved. The router provided to you will have a username and password that has been preset by the ISP. The main issue with this is that most home routers use common login details, such as, “admin:admin” and this can be exploited by hackers who want to gain access to your LAN and all the devices connected to it.

Changing your router’s default login credentials:

  1. Collect your login information (IP address, username and password for router). This is typically found in router’s user manual or on the back of the router itself.
  2. In a browser, enter the router IP address into the Address Bar and login with the username and password
  3. Change the username and password in the Administration or Security tab. The location of these tabs will vary based on your provider, but generally it is found under the main settings page for the router.