Pharming Attacks Outwit Even Savvy Surfers
Mar 30, 2005 5:00 AM PT
Hackers possess two admirable traits: persistence and ingenuity. These attributes have unfortunately lead to a phenomenon known as "pharming," the latest in a never-ending series of insidious attacks.
This new threat packages a number of established attack methods, such as phishing, viruses, spyware, and Domain Name Service (DNS) redirection, in a new manner with the goal of perpetrating identity theft.
"Since pharming can be lucrative, a number of criminals are quite interested in it," said Shawn Eldridge, chairman of the Trusted Electronic Communications Forum (TECF), a vendor consortium examining ways for companies to protect consumers from various online scams.
The reason pharming can be lucrative is because it can fool even fairly savvy computer users. This attack starts when hackers take advantage of the ever-growing number of peer-to-peer applications to help spyware, a Trojan horse, or a virus slip past a computer's defenses and lodge itself in the background of a user's PC.
The malicious code locates the host files in the computer's operating system and creates an IP address for a criminal's Web site that is designed to look like a legitimate site from a bank or credit card company. When the user types the bank's or credit card company's URL into his or her Web browser, the spyware bypasses the typical search of the DNS (basically the Internet's white pages) and inserts the bogus destination.
Unless he or she is paying close attention, the user does not notice the change, arrives at the fraudulent Web site, and enters personal data, like credit card numbers, bank account information, or social security identifications. Most people feel comfortable entering such personal information, because they have gone to these Web sites in the past without any problem.
As far as they can tell, nothing out of the ordinary has occurred, but they have given personal information to criminals who are now in a position to steal their identity. Unfortunately as they have honed their craft, pharmers have improved their lure.
"The first pharming sites were relatively easy to spot: they were filled with typos, grammatical errors and skewed URLs," noted Richi Jennings, leader of the anti-spam practice at Ferris Research Inc., an e-mail market research firm. "Recently, the attacks have become more difficult to discern because the fraudulent sites more closely resemble legitimate Web sites."
Successful pharming attacks have taken place. The Troj Banker A/j worm, seen near the end of 2004, watched for users visiting banking sites and redirected to bogus locations run by pharmers. Other attacks were less threatening. In November 2004, Google Inc. and Amazon.com Inc. users were sent to Med Network Inc., an online pharmacy. In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops."
"There have been a few instances where hackers have taken over search engines and redirected unsuspecting users to fraudulent Web sites," said Paul Luehr, vice president and deputy general counsel at Stroz Friedberg, LLC, a consulting firm specializing in computer security.
Pharming has been viewed as the natural follow-on to phishing, an approach where hackers send users e-mail messages, such as "You need to update your account," and then whisk them away to bogus sites where the users inadvertently hand over personal data. As users become more aware of phishing and vendors enhance their defense mechanisms against it, hackers look for another attack mechanism and pharming seems like a viable option.
But there are a few differences in the two approaches. "Pharming seems to be a more methodical attack than phishing," TECF's Eldridge told TechNewsWorld. "With pharming, a hacker sends out his work and then waits for the user to enter the link and end up in the wrong site. With phishing, the results tend to be seen fairly quickly."
As a result, he thinks that two different groups of individuals are conducting the two attacks.
Regardless of who is launching the attacks, companies and end users want to take steps to limit their exposure to them, so vendors have been developing products specifically for it. Anonymizer Inc. developed software that creates an encrypted path between a computer and a Web site to shield users from spyware. The product protects users against host file pharming attacks by intercepting all browser requests and returning the page information to the end user before the connection is made.
Enhancing a user's browser could also help to thwart attackers. Netcraft Inc. offers a browser plug-in that displays geographic information about the site being visited. If a user notices that a mortgage company's site is being supported by a server somewhere in Eastern Europe, he or she can assume the site is illegitimate. Another approach is enhancing browsers so they authenticate the identity of a particular Web site via the public DNS system, an approach that is gaining traction as users try to verify email transactions.
In addition to technical advances, companies are adding a few more steps to their authentication processes. Financial institutions have been experimenting with multi-factor authentication where a transaction is not completed until a user calls back and confirms that he or she did in fact move from an account. In some cases, banks rely on Simple Message Services and wireless handsets to notify users that money has been transferred from their bank accounts or items added to their credit cards.
As the new defense mechanisms take hold, hackers work on new attack schemes. "Unfortunately, cybercrime presents an ongoing arms race: as soon as defenses arrive to stop attacks, criminals attempt to perfect new attack mechanisms," Stroz Friedberg's Luehr told TechNewsWorld.