 PC Advice
|
|
|
 |
Pharming |
Perhaps one of the newest methods of attack, Pharming has grown in popularity in the past few years. Its rise may be linked to the increased availability of high speed DSL and other connections in homes, but such attacks could be conducted using commercial hosting services as well.
Pharming is an extension of phishing, and is designed to negate one of the primary weaknesses of a phishing attack, which involves the creation of an up to date copy of a legitimate ecommerce (bank, brokerage, retail, etc.) site, then hosting it on some other machine. The hope is that users will click on the links in the phishing mail message, visit the bogus site, and enter personally identifying data. This data is captured by the phisher, who then makes use of it to loot the hapless victim's accounts or conduct identity theft.
The weakness in such an attack is that the IP address and host name of the phishing site is different from the legitimate one; it is impossible for the phishing site to use, for instance, "www.bankofamerica.com" in its embedded links. Alert users, as well as security conscious e-mail software, will be tipped off that the message and its embedded links are false and will not take the bait. Pharming attempts to eliminate this weakness by introducing changes to the IP-address resolution mechanism, known as the Domain Name System (DNS). This allows the imposter to embed legitimate looking host name strings in their messages while still routing users to a bogus location. Such address-related attacks generally take one of two forms:
- The phisher uses hacking techniques or malware of some type to change the hosts file on individual computers. Since this file is consulted first when attempting to transform a host name and domain into an IP address, it bypasses DNS and directs the user to the system being used for pharming. So while the user sees a legitimate Bank of America host name and URL, the traffic from their machine is being routed to a bogus IP address.
-
Alternately, a technique known as "DNS poisoning" is used. This requires the phisher to inject false name-to-IP address information into an ISP's DNS servers, but affects a wider user group since all attempts by users of the poisoned DNS servers to contact the targeted site will be routed to the illegal copy.
These techniques remove the need to even send a phishing message, since it's practically guaranteed that the user population of any reasonably sized ISP will include at least a few members of a given bank or brokerage. From a nuts and bolts standpoint, it works like this (note: all IP addresses and names in the following examples are fictional).
- The targeted bank, known as "Fred's Bank" located in Columbus OH, owns the "fredsbank.com" domain and operates http://www/freds-bank.com. This host name translates to the legitimate IP address 111.22.33.111.
- The phisher copies the whole Fred's Bank site to his own machine, then sets up a fake pharming site on IP address 222.33.44.222. All data in forms submitted on this site are recorded to a database on the pharming system and used for later identity theft.
- Next, the phisher attacks the DNS server for a large ISP in the Columbus area. He manages to alter the DNS record so that requests for www.freds-bank.com are routed not to 111.22.33.444, but to his own 222.33.44.555. Additionally, he attacks individual machines and edits their hosts files to point requests for www.freds-bank.com at his false 222.33.44.555 IP address. He then sits back and waits for stolen ID information to start accumulating in his local database.
The worst thing about Pharming is that it bypasses most safeguards now in place on the Internet. No known method for detecting this deception has yet been designed or implemented, and it's hard to say what the best detection technique would be. Happily I've yet to see any examples where victims have actually lost money due to such an attack, but I'm sure this will change over time.
|
|
|
Free Scan
|
Remove and block malicious items from your computer thereby boosting the speed of your PC Instantly!
|
|
