In Depth

After Phishing? Pharming!

Security experts are concerned about pharming, a technically sophisticated DNS-based attack

By Bob Violino

October 01, 2005 — CSO — The Holy Grail of security is to get ahead of the next attack. While you may never achieve this state entirely (grail quests being notoriously frustrating), it's the CSO's job to keep trying.

And that brings us to the emerging threat called pharming. Like phishing, pharming aims to gather personal information from unsuspecting victims; the difference is that pharming doesn't rely on e-mail solicitation to ensnare its victims. Instead, this attack method essentially tinkers with the road maps that computers use to navigate the Web, such that large numbers of users can wind up giving personal data to a bogus site even if they've typed in a legitimate URL.

Pharming is technically harder to accomplish than phishing, but also sneakier because it can be done without any active mistake on the part of the victim. Documented pharming attacks are rare, but security experts say CSOs should be preparing defenses and educating users, many of whom are under the mistaken impression that as long as they avoid clicking on phishing e-mails, they're completely safe.

Pick Your Poison

Pharming isn't completely new. It combines a mix of mainstream threats such as viruses and spyware, plus more esoteric stuff such as domain spoofing and DNS poisoning. In one scenario, a user receives some kind of malware (virus, worm, Trojan or spyware) that rewrites local host filesâ¬which convert URLs into the number strings that computers use to find and access websites. Then, for example, when the user types a legitimate bank's URL into the browser window, the computer is misdirected to a bogus but authentic-looking website of the same sort that might be used in a phishing attack. In another scenario, a hacker poisons a more public DNS directory cache (at an ISP, for instance), again leading unsuspecting Internet users to phony sites. (For more on this, see "How DNS Poisoning Works," Page 46.) In either case, potentially large numbers of users are drawn to the fraudulent sites or proxy servers (a computer that sits between the user and the real server and captures information as it passes through), where criminals can track activity and gather credit card data and personal identification numbers.

So far, publicized pharming attacks have been relatively few. In March, The SANS Institute's Internet Storm Center reported a DNS poisoning incident in which users were redirected to several malicious Web servers that tried to install spyware on their computers. Late 2004 saw the circulation of a worm called Troj/Banker-AJ, which looked for users visiting bank sites and redirected them to other sites operated by pharmers.

• Email
• Print
• Comments
• Digg This
• SlashDot