- Related Stories
-
Secunia: CA backup product 'inherently insecure'
January 16, 2008 -
If you thought 'Security '07' was hairy, just wait
January 3, 2008 -
Year in review: Botnet gains, Web 2.0 pains
December 31, 2007 -
Symantec: Virtualization can ease data center woes
October 31, 2007 -
Symantec, Microsoft cooperate on security
October 23, 2007 - Related Blogs
-
Two old-time tech companies ripe for picking?
January 17, 2008 -
Symantec releases online cyber-security quiz
January 8, 2008
The security company said this was the first time it had seen such an attack "in the wild," although the concept had been discussed a year ago by Symantec researchers, according to a Symantec blog post.
In the attack, which targeted users of an undisclosed Mexican bank, the intended victims received a spam e-mail claiming they had received an e-card, directing them to gusanto.com, a Spanish-language e-card site. However, the e-mail also had embedded HTML image tags that contained an HTTP get-request to the router to change its Domain Name System settings, according to Symantec's U.K. manager of quality assurance, Thomas Parsons.
The HTTP get-request redirects traffic flowing over the router to a specific IP address when the user attempts to access six domain names that are banking-related. Symantec requested that ZDNet UK not publish the IP address.
The attack is made possible by a cross-site scripting vulnerability in routers made by broadband-equipment company 2Wire that was reported in August last year, according to Symantec. Parsons said this was "a simple hack" and advised small to medium-size businesses to change default security settings on routers and educate users about clicking on suspicious links.
Tom Espiner of ZDNet UK reported from London.
See more CNET content tagged:
Symantec Corp., e-card, 2Wire, router, XSS
- No surprise
- GET request is used to change settings in a popular router design by certain company whose name starts with 'C' and ends with 't'. The sad thing is that the product managers were warned about that four years ago.<br />Any webpage can issue GET request to your router, with arbitrary arguments, that's it. Should have used POST.
- Like this Reply to this comment
-
- Need security, not POST
- POST isn't secure enough either, tho it does provide a bit more than GET. If you viewed a site they could still post to the router with a form and javascript. The GET method simply allows the attack to be done without javascript, using an image tag or the like.<br /><br />The basis of this attack, while using XSS, is really more of a CSRF attack (Cross site referrer forgery.)<br /><br />The users who this affect are ones logged into the router without login out (most routers use .htaccess and don't support logging out without clearing private data.)<br />These authenticated users are used to send data and change settings. Simple referrer checking in the router's web-interface programming would eliminate most of these problems.
- Like this
