Pharming

Last updated

Pharming [lower-alpha 1] is a cyberattack intended to redirect a website's traffic to another, fake site by installing a malicious program on the victim's computer in order to gain access to it.[ citation needed ] Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real IP addresses. Compromised DNS servers are sometimes referred to as "poisoned". Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server.[ citation needed ]

Contents

The term "pharming" is a neologism based on the words "farming" and "phishing". Phishing is a type of social-engineering attack to obtain access credentials, such as user names and passwords. In recent years, both pharming and phishing have been used to gain information for online identity theft. Pharming has become of major concern to businesses hosting ecommerce and online banking websites. Sophisticated measures known as anti-pharming are required to protect against this serious threat. Antivirus software and spyware removal software cannot protect against pharming.

Pharming vulnerability at home and work

While malicious domain-name resolution can result from compromises in the large numbers of trusted nodes from a name lookup, the most vulnerable points of compromise are near the leaves of the Internet. For instance, incorrect entries in a desktop computer's hosts file , which circumvents name lookup with its own local name to IP address mapping, is a popular target for malware. Once rewritten, a legitimate request for a sensitive website can direct the user to a fraudulent copy. Personal computers such as desktops and laptops are often better targets for pharming because they receive poorer administration than most Internet servers.

More worrisome than host-file attacks is the compromise of a local network router. Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire LAN. Unlike host-file rewrites, local-router compromise is difficult to detect. Routers can pass bad DNS information in two ways: misconfiguration of existing settings or wholesale rewrite of embedded software (aka firmware). Many routers allow the administrator to specify a particular, trusted DNS in place of the one suggested by an upstream node (e.g., the ISP). An attacker could specify a DNS server under his control instead of a legitimate one. All subsequent resolutions would go through the bad server.

Alternatively, many routers have the ability to replace their firmware (i.e. the internal software that executes the device's more complex services). Like malware on desktop systems, a firmware replacement can be very difficult to detect. A stealthy implementation will appear to behave the same as the manufacturer's firmware; the administration page will look the same, settings will appear correct, etc. This approach, if well executed, could make it difficult for network administrators to discover the reconfiguration, if the device appears to be configured as the administrators intend but actually redirects DNS traffic in the background. Pharming is only one of many attacks that malicious firmware can mount; others include eavesdropping, active man in the middle attacks, and traffic logging. Like misconfiguration, the entire LAN is subject to these actions.

By themselves, these pharming approaches have only academic interest. However, the ubiquity of consumer grade wireless routers presents a massive vulnerability. Administrative access can be available wirelessly on most of these devices. Moreover, since these routers often work with their default settings, administrative passwords are commonly unchanged. Even when altered, many are guessed quickly through dictionary attacks, since most consumer grade routers don't introduce timing penalties for incorrect login attempts. Once administrative access is granted, all of the router's settings including the firmware itself may be altered. These attacks are difficult to trace because they occur outside the home or small office and outside the Internet.

Instances of pharming

On 15 January 2005, the domain name for a large New York ISP, Panix, was hijacked to point to a website in Australia. No financial losses are known. The domain was later restored on 17 January, and ICANN's review blames Melbourne IT (now known as "Arq Group") "as a result of a failure of Melbourne IT to obtain express authorization from the registrant in accordance with ICANN's Inter-Registrar Transfer Policy." [1]

In February 2007, a pharming attack affected at least 50 financial companies in the U.S., Europe, and Asia. Attackers created a similar page for each targeted financial company, which requires effort and time. Victims clicked on a specific website that had a malicious code. This website forced consumers' computers to download a Trojan horse. Subsequent login information from any of the targeted financial companies was collected. The number of individuals affected is unknown but the incident continued for three days. [2]

In January 2008, Symantec reported a drive-by pharming incident, directed against a Mexican bank, in which the DNS settings on a customer's home router were changed after receipt of an e-mail that appeared to be from a legitimate Spanish-language greeting-card company. [3]

Defences

Traditional methods for combating pharming include: Server-side software, DNS protection, and web browser add-ins such as toolbars. Server-side software is typically used by enterprises to protect their customers and employees who use internal or private web-based systems from being pharmed and phished, while browser add-ins allow individual users to protect themselves from phishing. DNS protection mechanisms help ensure that a specific DNS server cannot be hacked and thereby become a facilitator of pharming attacks. Spam filters typically do not provide users with protection against pharming.

Currently the most efficient way to prevent pharming is for end users to make sure they are using secure web connections (HTTPS) to access privacy sensitive sites such as those for banking or taxing, and only accept the valid public key certificates issued by trusted sources. A certificate from an unknown organisation or an expired certificate should not be accepted all the time for crucial business. So-called active cookies [4] provide for a server-side detection tool.

Legislation also plays an essential role in anti-pharming. In March 2005, U.S. Senator Patrick Leahy (D-VT) introduced the Anti-Phishing Act of 2005, a bill that proposes a five-year prison sentence and/or fine for individuals who execute phishing attacks and use information garnered through online fraud such as phishing and pharming to commit crimes such as identity theft.

For home users of consumer-grade routers and wireless access points, perhaps the single most effective defense is to change the password on the router to something other than the default, replacing it with a password that is not susceptible to a dictionary attack.

Controversy over the use of the term

The term "pharming" has been controversial within the field. At a conference organized by the Anti-Phishing Working Group, Phillip Hallam-Baker denounced the term as "a marketing neologism designed to convince banks to buy a new set of security services".

See also

Notes

  1. The word "pharming" is pronounced as "farm-ing".

Related Research Articles

Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information.

<span class="mw-page-title-main">Root name server</span> Name server for the DNS root zone

A root name server is a name server for the root zone of the Domain Name System (DNS) of the Internet. It directly answers requests for records in the root zone and answers other requests by returning a list of the authoritative name servers for the appropriate top-level domain (TLD). The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim navigates the site, and transverses any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of cybercrime.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to any computer that the attacker chooses.

Crimeware is a class of malware designed specifically to automate cybercrime.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

<span class="mw-page-title-main">OpenDNS</span> Domain name system provided by Cisco using closed-source software

OpenDNS is an American company providing Domain Name System (DNS) resolution services—with features such as phishing protection, optional content filtering, and DNS lookup in its DNS servers—and a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. The OpenDNS Global Network processes an estimated 100 billion DNS queries daily from 85 million users through 25 data centers worldwide.

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

<span class="mw-page-title-main">Blacklist (computing)</span> Criteria to control computer access

In computing, a blacklist, disallowlist, blocklist, or denylist is a basic access control mechanism that allows through all elements, except those explicitly mentioned. Those items on the list are denied access. The opposite is a whitelist, allowlist, or passlist, in which only items on the list are let through whatever gate is being used. A greylist contains items that are temporarily blocked until an additional step is performed.

A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web. They benefit cybercriminals by stealing information for subsequent sale and help absorb infected PCs into botnets.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript fetch or XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

References

  1. "ICANN review blames Melb IT for hijack". The Sydney Morning Herald. March 16, 2005.
  2. "Pharming Attack Targeted Bank Customers Worldwide". PCWorld. 2007-02-22. Retrieved 2020-07-24.
  3. Messmer, Ellen (January 22, 2008). "First case of "drive-by pharming" identified in the wild". Network World.
  4. "Active Cookies for Browser Authentication" (PDF). Archived from the original (PDF) on 17 December 2006. Retrieved December 3, 2006.
Sources