The presentation focused on a new type of phishing attack that employs the use of a home router.
Tsow explained how hackers and people with working knowledge of routers are able to buy an over-the-counter router and then change the internal settings so that it connects to different Web sites in order to obtain restricted information for identity theft and steal money.
Tsow has been working on this project with Markus Jakobsson, associate professor of Informatics, for about a month.
As part of his research, Tsow bought a router and altered its internal settings to misdirect the user from eBay.com to that of the Anti-Phishing Working Group Web site, www.antiphishing.org. Though the router successfully misdirected the user to the new site, the address still appeared as www.ebay.com in the URL bar.
Tsow said once a router's settings have been changed, it is referred to as a compromised router.
"Anti-virus programs check your computer's memory and hard drive. They have no access to the router, so it isn't checked," Tsow said.
Some compromised routers are even more difficult to detect because the attacker can revert the router to its original settings, which removes the evidence of a phishing attack having taken place, Tsow said.
"It only takes a few minutes to change the settings on a router," he said. "I could probably do around 20 per hour."
Tsow's research found the average identity fraud in 2006 costs about $6,000 and estimated that if someone sold 15 compromised routers per week for one year and had three victims for each router, that person would end up stealing a little less than $15 million in just one year.
"It makes you paranoid. It's hard to know what to trust," said Divya Aggarwal, a graduate student of Informatics.
Tsow said there is currently no easy solution to this problem. However, he shared some preventive measures wireless network users can practice in order to avoid the effects of a compromised router. He said to accept only signed firmware from trusted hardware vendors and set default policies to never accept self-signed certificates. Tsow said he is changing his browsing habits on wireless networks to be more careful.
"I would fall for most of this if I didn't know better," he said.
Read the entire article here,
http://www.crime-research.org/news/23.02.2006/1843/
|