We all know about phishing: “Phishing uses email, instant messages or banner ads to invite consumers to a ‘spoof’ Web site where they are asked to enter their account passwords and other secret data,” explains Bill Rosenkrantz, Group Product Manager for Symantec’s Internet Security solutions. But after years of seemingly unstoppable growth, experts have noticed that phishing attacks tend to level off now. “Consumers are learning to resist phishing attacks”, Rosenkrantz says. Of course, pirates and scammers are not keen on letting go so easily on their money maker; they have devised a new attack, much more difficult to spot than phishing: that's pharming. “Pharming can send people to the spoof site automatically when they think they’re going to a legitimate financial or merchant site”, confirms Bill Rosenkrantz. Pharming, he says, “can be undetectable. It’s not widespread yet, but it’s growing”.
So what exactly is pharming? At its simplest level, a pharming attack essentially manipulates the "directions" a computer asks to find the web site you want, in order to silently make it go to a spoofed site. And the really twisted part is that once there, it still appears to the user that he got to the right destination.
Pharming can work in three ways:
Domain name server (DNS) software is what translates the domain name you type into the Web site’s actual address on the network (its IP address) – for example, translating www.yourbank.com into 146.04.04.04. But because it has to be done over the network, such a translation can take some time. In order to speed things a bit, your PC usually keeps its own copy of the DNS results it got for the sites you visited earlier. This is called a "DNS Cache". By looking first in its cache before initiating an actual network query, your PC routinely saves you time and avoid to clobber up the Internet with questions it already knows the answer.
But such a local DNS cache can also be abused. ID thieves, using a Trojan horse code, may try to modify your cache so that when you type in the name of your online bank you will be sent to a spoof site, made to look exactly like the real one, and inadvertently divulge your ID information when you log in. This will work because your PC has no way to know if an address is in its cache because you've visited it before, or because some malicious program wrote it there. In either case, the PC will see an entry for your online bank and will happily trust it.
The trojans programs used in those attacks can be transmitted through email attachments or Web links; the most common method, though, is to implant them when PC users download free material such as screen savers, games or pornography-related programs, like those offering "free" access to dodgy content. Effective and up-to-date virus protection will prevent Trojan horses from penetrating your PC; once such a virus enters an unprotected machine, however, the user would most likely not be aware of its operation.
Local machine DNS poisoning is the most common form of pharming, but hackers have also tried to break into the code of legitimate Web sites. They usually do this to inject a script that will then manipulate the site’s visitors. It can be as simple as putting a link on the real site that, when clicked, will send users to the spoof site. Or it can be designed to display a fake browser window over the legitimate site (a pop-over). This fake window may then request ID information, pretending to be either a log in, an account problem or a survey window originating from the legitimate site.
Finally, the attackers may lay a malicious script designed to exploit a browser flaw, and thus infecting the site visitors PC while they surf. This has already been done on several major web sites during the past years. The opportunity to ensnare large numbers of unwitting victims with a single attack makes this tactic inviting, but the difficulty of penetrating highly secure Web sites has made it relatively rare.
Just as your desktop PC tries to play it smart by memorizing your DNS queries, the server at your Internet Service Provider also maintains a cache of common DNS translations. To them, a cache is more than a commodity: it's a way of life. When all the subscribers from a major ISP want to reach the same sport news web site right after a major event, the DNS server can save a lot of time by knowing already what to answer them. In recent months, thieves have attempted to “poison” theses caches, so that users who type in a correct URL are sent to an illegitimate site that appears to be the real one. These sites may ask the user to log in and thus reveal ID information, or they may download ID-stealing spyware or Trojan horse viruses to the user’s PC.
Your ISP’s servers are highly secure, and DNS poisoning at this level is the most difficult form of pharming to accomplish, and the least prevalent. Nonetheless, it represents the best opportunity for pharmers to harvest a lot of identities in a single attack, so it’s a threat that ISPs and the network security industry will continue to focus on. Because of the good protection the ISP's DNS server enjoy, hackers have already started to turn onto smaller, less protected, DNS servers belonging to companies. During those past years, several companies got their DNS server hacked and poisoned. Those attacks were not very sophisticated: whatever the URL they typed, the users were directed to a pharmacy website advertising popular drugs. With a little bit more "finesse" from the hackers, those incidents could have been much worse.
Yet another form of DNS manipulation, known as “Wild Card DNS Poisoning,” uses conventional phishing lures to ask consumers to visit a Web site with a URL that appears legitimate. (See accompanying article.) This kind of scam, unlike pharming, is easy to detect and avoid, Rosenkrantz says: “Simply NEVER respond to an email, instant message, banner ad or pop-request to visit a Web site and/or provide ID information”.
“As with all forms of potential identity theft, Rosenkrantz says, the most important thing to do is take common-sense precautions and check your monthly bank and credit card statements each month for any suspect transactions. In most cases you’ll be fully reimbursed for any loss as long as you report it promptly”.
Rosenkrantz recommends the following precautions to take against pharming:
• Check the URL or any site that asks you to provide ID information. Make sure your session begins at the known authentic address of the site, with no additional characters appended to it.
• Maintain effective, up-to-date virus protection. (Click here to see if your protection is up to date).
• Use a trusted, legitimate Internet Service Provider. Rigorous security at the ISP level is your first line of defense against pharming.
• Check the certificate. It takes just a few seconds to tell if a site you land on is legitimate. On the latest version of Internet Explorer and on many other commonly available Web browsers, go to “File” in the main menu and select “Properties,” or right click your mouse anywhere on the browser screen and, from the menu that pops up, click on “Properties.” When the “Properties” box pops up, click on “Certificates” and see if the site carries a secure certificate from its legitimate owner, and if it's still valid.
• If you need to access a sensitive web site, never click directly on a link found in an email or on a web page. Always do a cut & paste of the text of that link in a new browser window, or use your bookmarks.
