«
»

Changing password thwarts phishers


Friday, February 16th, 2007

Peter Wilson
Sun

Never bothered to change the default password that came with the router for your home computer network?

You’re not alone. A study by Indiana University shows that about 50 per cent of us don’t bother or don’t know how.

And that means that 50 per cent of us are open to having our personal financial information stolen by what is known as — in yet another Net catch phrase — drive-by phishing.

You can become a victim — and chances are you’ll never know it’s happened — if you end up on a malicious website that downloads a JavaScript to your computer.

That JavaScript gets into your router settings by using the manufacturer’s default password. Then it changes the settings and, bam, it’s as if you have a phony directory of websites installed on your computer.

From now on when you type in www.mybank.com, for instance, you’ll be directed to a server operated by the bad guys where they’ve set up any number of fake financial websites. Once there, you type in your login and your password and instantly the evildoers have access to your account.

“The thing is they’re attacking the router, not the PC, so any security software you have installed to check that everything is okay will not really tell you that something bad is happening,” said Zulifar Ramzan, senior principal researcher at security firm Symantec, and one of the scientists who discovered the problem.

And it’s likely, adds Ramzan, who worked with colleagues at Indiana University, that you won’t even know to check for the problem.

“This particular class of attack is really silent. It doesn’t try to make itself known.”

To protect yourself, all you have to do is change your router password.

Ramzan said it’s understandable why half of users don’t bother to change their router default password. You have to read the manual to figure out how to do it and many router installation programs never prompt you.

“For the past few weeks I’ve been playing with a lot of different routers and trying the attack out on them,” said Ramzan. “So I put the [installation] CD in my computer and follow the steps. And what I find is that a lot of the router manufacturers do not include a prompt for changing the password.”

Ramzan said his speculation is that the manufacturers do this to make installation convenient, but it puts users in danger.

© The Vancouver Sun 2007

 

This entry was posted on Friday, February 16th, 2007 at 12:00 pm and is filed under Technology Related Articles. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.



Comments are closed.