Home » Data Protection » Network Security

After Phishing? Pharming!

Security experts are concerned about pharming, a technically sophisticated DNS-based attack

Members of TECF, which was formed in June 2004 and includes companies from the retail, financial services, health-care and technology industries, have had discussions about pharming and will continue to monitor activities, Eldridge says. None of the companies in the group is known to have been victimized by pharming, he says. Nevertheless, he agrees that pharming is something every security professional should at least be aware of.

What to Do

Just as pharming combines a variety of attack methods, stopping it requires a mÃ©lange of defenses, both technical and procedural. In HealthSouth's case, these measures include antivirus programs, desktop firewalls with spyware filters, intrusion prevention software, and logging and auditing software customized to look for particular events such as spikes in DNS traffic (which could signify employees being misdirected en masse) or spikes in e-mail traffic from a single user. The company sets firewall rules to ensure that e-mail can't be sent out unless it's originating from designated mail servers, so employee computers can't be used for trojan- or e-mail-disseminating purposes. "It isn't one solution; it's all of these used together," says Ray (who left the company before publication of this article). "Our incident response team is aware of pharming, and we communicate to everyone about threats and things people should look out for, such as giving out passwords."

Pat Lefemine, CISO at Lincoln Financial Group, says his security staff has controls on DNS servers in place to prevent its website users from inadvertently participating in a pharming attack. That includes host-based intrusion detection systems deployed on all the servers. Lincoln Financial also uses configuration management tools and antivirus software, Lefemine says.

"This threat has been around for a long time with DNS poisoning, but with the growth of e-commerce there's more reason for someone malicious to go after DNS," Lefemine says.

Pemco, an IT service provider and credit card transaction processor to credit unions, an insurance company and several community banks, takes the pharming threat seriously, says CSO Kip Boyle. "In every case where we host or support customer sites, websites that contain sensitive information or customer data, we currently utilize SSL certificates for server-side authentication and to help provide encryption for Web sessions. Inbound traffic to those sites is restricted to SSL only." Still, he says, "the fact that end users don't really know how to use SSL certificates to authenticate servers is a real concern. If they don't pay attention to this information, then they could still be pharmed." Boyle says an effective way to educate customers is through paper notices, such as mailing an informational flier with bank statements.