After Phishing? Pharming!

The Holy Grail of security is to get ahead of the next attack. While you may never achieve this state entirely (grail quests being notoriously frustrating), it’s the CSO’s job to keep trying.

And that brings us to the emerging threat called pharming. Like phishing, pharming aims to gather personal information from unsuspecting victims; the difference is that pharming doesn’t rely on e-mail solicitation to ensnare its victims. Instead, this attack method essentially tinkers with the road maps that computers use to navigate the Web, such that large numbers of users can wind up giving personal data to a bogus site even if they’ve typed in a legitimate URL.

Pharming is technically harder to accomplish than phishing, but also sneakier because it can be done without any active mistake on the part of the victim. Documented pharming attacks are rare, but security experts say CSOs should be preparing defenses and educating users, many of whom are under the mistaken impression that as long as they avoid clicking on phishing e-mails, they’re completely safe.

Pick Your Poison

Pharming isn’t completely new. It combines a mix of mainstream threats such as viruses and spyware, plus more esoteric stuff such as domain spoofing and DNS poisoning. In one scenario, a user receives some kind of malware (virus, worm, Trojan or spyware) that rewrites local host fileswhich convert URLs into the number strings that computers use to find and access websites. Then, for example, when the user types a legitimate bank’s URL into the browser window, the computer is misdirected to a bogus but authentic-looking website of the same sort that might be used in a phishing attack. In another scenario, a hacker poisons a more public DNS directory cache (at an ISP, for instance), again leading unsuspecting Internet users to phony sites. (For more on this, see “How DNS Poisoning Works,” Page 46.) In either case, potentially large numbers of users are drawn to the fraudulent sites or proxy servers (a computer that sits between the user and the real server and captures information as it passes through), where criminals can track activity and gather credit card data and personal identification numbers.

So far, publicized pharming attacks have been relatively few. In March, The SANS Institute’s Internet Storm Center reported a DNS poisoning incident in which users were redirected to several malicious Web servers that tried to install spyware on their computers. Late 2004 saw the circulation of a worm called Troj/Banker-AJ, which looked for users visiting bank sites and redirected them to other sites operated by pharmers.

Some security managers and industry analysts are concerned that pharming incidents could cause serious damage if ignored. They say the growing popularity of online banking and electronic bill payment means there’s ever-greater potential for the theft of sensitive customer information. And even if your company feels secure, weak links elsewhere can endanger the chain of commerce. “As a health-care provider,” says Chris Ray, former director of information security at HealthSouth, “we deal with insurance companies, payers and many outside business partners. If one of these entities became a victim of pharming, and that reveals log-on information to their site where our patient information is stored, we would have concerns about that.”

The Anti-Phishing Working Group (which includes financial services firms, law enforcement officials, technology vendors and ISPs) is tracking instances of pharming, says Chairman Dave Jevans. Members are discussing what users and vendors need to do, including adopting standards such as DNSSEC, the security extensions for DNS under development by the Internet Engineering Task Force.

Degree of Difficulty

Jevans says he’s aware of several unreported pharming attacks since December 2004. One involved malware or “crimeware” modifying the host files on users’ operating systems and directing them to bogus bank websites. Another involved DNS poisoning by hackers. The Anti-Phishing Working Group learned of these incidents through member complaints about websites not working correctly, as well as a notification from a financial institution. But it’s difficult to say if pharming attacks are rising, Jevans says, because not muchif anyresearch has been published. Still, “everything we have seen in the areas of hacking and online fraud and identity theft is going upward,” he says. “There’s increasing technical sophistication, so the chances of [pharming] getting worse are likely.

“But,” Jevans adds, “the thing about pharming is it’s technically difficult to do.”

To execute a phishing attack, a hacker needs to be able to create a plausible URL, a decent webpage and an e-mail message. This is not hard. Pharming, on the other hand, requires knowledge of how to manipulate DNS caches or gain access to someone’s computer files or servers to change settings. This technical difficulty makes pharming less of a threat than phishing, says Shawn Eldridge, chairman of the Trusted Electronic Communications Forum (TECF, a consortium looking at ways companies can protect consumers from scams such as phishing, spoofing and identity fraud). “Not only is there a proficiency level required, but something like DNS poisoning is difficult to pull off,” Eldridge says. “There have been a couple of instances, but they’ve been fairly minor.”

Members of TECF, which was formed in June 2004 and includes companies from the retail, financial services, health-care and technology industries, have had discussions about pharming and will continue to monitor activities, Eldridge says. None of the companies in the group is known to have been victimized by pharming, he says. Nevertheless, he agrees that pharming is something every security professional should at least be aware of.

What to Do

Just as pharming combines a variety of attack methods, stopping it requires a mélange of defenses, both technical and procedural. In HealthSouth’s case, these measures include antivirus programs, desktop firewalls with spyware filters, intrusion prevention software, and logging and auditing software customized to look for particular events such as spikes in DNS traffic (which could signify employees being misdirected en masse) or spikes in e-mail traffic from a single user. The company sets firewall rules to ensure that e-mail can’t be sent out unless it’s originating from designated mail servers, so employee computers can’t be used for trojan- or e-mail-disseminating purposes. “It isn’t one solution; it’s all of these used together,” says Ray (who left the company before publication of this article). “Our incident response team is aware of pharming, and we communicate to everyone about threats and things people should look out for, such as giving out passwords.”

Pat Lefemine, CISO at Lincoln Financial Group, says his security staff has controls on DNS servers in place to prevent its website users from inadvertently participating in a pharming attack. That includes host-based intrusion detection systems deployed on all the servers. Lincoln Financial also uses configuration management tools and antivirus software, Lefemine says.

“This threat has been around for a long time with DNS poisoning, but with the growth of e-commerce there’s more reason for someone malicious to go after DNS,” Lefemine says.

Pemco, an IT service provider and credit card transaction processor to credit unions, an insurance company and several community banks, takes the pharming threat seriously, says CSO Kip Boyle. “In every case where we host or support customer sites, websites that contain sensitive information or customer data, we currently utilize SSL certificates for server-side authentication and to help provide encryption for Web sessions. Inbound traffic to those sites is restricted to SSL only.” Still, he says, “the fact that end users don’t really know how to use SSL certificates to authenticate servers is a real concern. If they don’t pay attention to this information, then they could still be pharmed.” Boyle says an effective way to educate customers is through paper notices, such as mailing an informational flier with bank statements.

Since pharming is largely a DNS poisoning problem, Boyle says, “the more likely solution would probably be found in antispoofing controls in the Internet’s infrastructure.” Innovative forms of strong authentication for users may also help. “If you can challenge a user to supply an additional piece of data based upon a user-selected question, which a pharmer would not know about, then you could help a user determine whether a pharming site was real or false,” he says.

Pemco outsources DNS management to a large ISP, Boyle says. “I expect them to be proactive about dealing with DNS poisoning and domain spoofing as an infrastructure problem,” he says. “The same goes for Internet registries [such as VeriSign and Network Solutions]. More controls are needed to prevent domain hijacking.”

Although pharming attacks are still fairly infrequent, experts say security vendors and Internet service providers should take steps now to thwart attacks. Some ISP registrars are pushing for adoption of the DNSSEC standard to make the Internet more secure, says Jevans. He expects browser manufacturers and other developers to look for ways to tell end users more about the sites they’re connecting to.

All of which suggests that pharming is everybody’s problem to solve. It’s clear that guarding against pharming attacks will require more than technology, says Ray. “I’m sure vendors will offer products to protect you from this, but the best thing you can do is put in place practices and procedures to safeguard your DNS servers and implementation. You also must educate users over and over again, since this affects their personal lives as well as potentially exposing sensitive company information,” he says. “All of [this] combined with solid technical solutions and good communication between the IT and business departments will help to raise the bar quite a bit in regards to security protection. It may not protect you 100 percentas nothing willbut it will help everyone in the long run.”