|
Vendor Accent
Pharming: a sinister form of Phishing
 Anuj
Goel describes Pharming attacks wherein criminals divert users to a fraudulent
Web page and corrupt Domain Name Servers to nefarious ends. He also discusses
what governments and users are doing and should do to combat this latest threat
on the Net.
We may have become experts in detecting and eradicating viruses, Trojans and
Phishing attacks, but there is always a new puzzle to solve. The latest one
is known as Pharming, a sinister evolution of Phishing. Phishing may be called
so because the attacker, by sending the fraudulent e-mail, is putting his bait
and waiting for a bite. It struck one of my fellows, who asked me if one comes
from sea and the other from land. As an information security consultant, I could
see the need of layman definitions of these perplexing terms.
Phishing and Pharming are additions to the top security threats that institutions
currently face. Pharming attacks are more devious. The trend is shifting from
technological attacks to those that exploit human behaviour. Studies have shown
that users are the greatest risk to any company’s information technology
infrastructure. The attackers are not after network vulnerabilities since the
increased use of anti-virus, anti-spyware, virtual private network, firewalls
and intrusion detection systems have throttled it down.
These attacks both exploit human behaviour by using fabricated e-mails and Web
sites or interfaces to get users to disclose confidential information to hackers
and fraudsters. Both techniques are frequently used and can have serious consequences
for financial departments in enterprises and educational institutes. While Pharming
is very similar to Phishing, the approach used to lure the victims to bogus
Web sites differs.
A Phishing message gives every appearance of originating from a genuine merchant
be it a bank, credit card company, or other legitimate e-commerce company. It
attempts to persuade you to click on a link that takes you to a Web site where
you are prompted to log in and verify your account information. Most of the
time these e-mail messages contain a warning message such as “your account
has been suspended, please login to your account and verify your address”
or ask the user to change their password by logging into his account. The most
peculiar one that I received asked me to enter all my personal information,
because their server couldn’t locate it anymore. eBay, Citibank, Paypal
etc. have been among the top victims of the Phishing game.
|
Pharming is dangerous, not simply
because it is more effective than Phishing, but also because it is easier
for attackers to pull off as they only need to modify a file, called hosts
on the user system, and create a false Web page. This could easily be
accomplished by a Trojan
|
In Pharming, criminals divert users to a deceptive Web page without the Phishing
e-mail message. As in the case of the latter, Pharming can be completely transparent
to the unsuspecting Internet user. Unlike Phishing, it uses false Internet Protocol
(IP) addresses to direct the users to a bogus Web site where they are conned
into divulging personal information. There are few clues to the user that anything
is wrong. Pharming is becoming a worrisome threat, more so than its predecessor,
since it is more advanced, harder to detect, and poses an insidious threat.
Pharming corrupts a Domain Name Server (DNS) by replacing the DNS’ IP address
with a fake one. DNS is an Internet service that translates domain names into
IP addresses. Because domain names are alphabetical, they’re easier to
remember. The Internet however, is really based on IP addresses. Therefore,
every time we use a domain name, a DNS service must translate the name into
the corresponding IP address. So the crime is accomplished through cache-poisoning
of DNS servers (a.k.a. domain hijacking). This results in a user’s request
being redirected to the attacker’s server, where he or she is asked to
update personal information, such as passwords and credit cards, social security
and bank account numbers.
According to the Federal Deposit Insurance Corporation (FDIC:
http://www.fdic.gov/news/news/financial/2005/fil6405a.html), Pharming may occur
in four ways:
- Static domain name spoofing where the criminal attempts
to take advantage of slight misspellings in domain names to trick
users into inadvertently visiting the attacker’s Web site;
- Malicious virus software that secretly captures data on
consumers’ personal computers to redirect users;
- Domain-hijacking where the hacker steals the legitimate
Web site; and
- DNS-poisoning where Internet DNS’ are corrupted to
direct users onto Web sites other than those requested.
Pharming is dangerous, not simply because it is more effective than Phishing,
but also because it is easier for attackers to pull off as they only need to
modify a file, called hosts on the user system, and create a false Web page.
This could easily be accomplished by a Trojan.
The only true protection for Phishing is common sense. Use your eyes to watch
for any fraudulent e-mail and if found suspicious, simply delete it. Experts
on Phishing recommend that consumers avoid responding to unsolicited e-mails
from banks and other financial institutions. Instead, they should call the company
the message appears to be from, and report the contents and source of the suspicious
message. Consumers should also refrain from clicking on hyperlinks in e-mails.
Always remember the rule of thumb that companies never send out “account
verification” messages.
In the newest version of Internet Explorer, IE7, Microsoft has included a security
feature designed to dynamically warn users if they visit a Phishing site. According
to Microsoft, the Phishing filter proactively warns and helps protect you against
potential or known fraudulent sites and blocks the site if appropriate. The
opt-in filter is updated several times per hour using the latest security information
from Microsoft and several industry partners about fraudulent Web sites.
Keeping a close eye on the address bar of your Internet browser does nothing
to prevent Pharming, but being cautious and setting the alarm bells ringing
for all on-line transactions can save you from a lot of headaches. You should
always check if the site has an electronic certificate from a trusted Certificate
Authority (CA). If you receive invalid server certificates, especially when
attempting to enter any site where you deposit confidential information or perform
money transactions, pause and review the certificate before entering the data.
If the name on the certificate doesn’t match the site you’re attempting
to reach, you should leave the site right away. To guard against Pharming, computer
users should also regularly update anti-virus and anti-spyware programs.
If you are a network administrator, you should also deploy methods to protect
DNS, multi-factor authentication logins, single-use passwords and automatic
telephone call-back technologies.
The best defence against DNS-poisoning is to ensure that
you have all the latest DNS software and security patches in place. Some vendors
offer anti-Pharming tools to protect you from unauthorised changes. Companies
like NGSEC (http://www.ngsec.com) actively protect your Windows server from
Pharming attacks by denying any user (even administrator) the permission to
write to the hosts file. It also sniffs on each network interface for DNS replies
and recheck them against at least with three secure DNS name servers.
The government and other organisations have also taken a
proactive leadership role in fighting against these intractable social problems.
The Anti-Phishing Working Group (APWG) Web site (http://www.antiphishing.org)
has information on how to spot Phishing and Pharming attempts and what to do
if you are a victim of such a scam. Under “Anti-Phishing Resources”
they have posted information about other anti-Phishing organisations, notable
articles and government briefings and anti-fraud policies.
The “Anti-Phishing Act Of 2005” (leahy.senate.gov/press/200503/030105.html)
tries to protect the integrity of the Internet by, first, criminalising the
bait. It makes it illegal to knowingly send out spoofed e-mail that links to
sham Web sites with the intention of committing a crime. Second, it criminalises
the sham Web sites that are the true scene of both types of crime.
To help prevent Pharming attacks, the FDIC recommends banks to use digital certificates,
diligently manage their domain names, monitor for DNS-poisoning and educate
consumers to install current versions of virus detection software, firewalls
and spyware scanning tools to reduce computer infections.
The following links are provided courtesy of companies who
have been victims of Phishing attacks. pages.ebay.com/education/spooftutorial/index.html
www.bankofamerica.com/privacy/passmark/ www.citibank.com/us/cards/cardserv/advice/safe_email.htm
www.paypal.com/cgi-bin/webscr?cmd=xpt/general/SecuritySpoof-outside
The author is the Director of Technology and Research at
NEXCEPTS, LLC. He holds an M.S. degree in Computer Science and is currently
pursuing part-time Ph.D. in Information Systems at Rensselaer Polytechnic Institute,
Troy, NY. Apart from being CISA and CISSP qualified, he is a member of Sigma
Xi, the international honorary scientific research society. He is also listed
in Who's Who in Science and Engineering. He can be reached at agoel@nexcepts.com
|
