A recently identified cyberspace crime known as pharming—redirecting Web surfers from the legitimate sites they visit to fakes which capture their personal information or install malware for the criminals who set up the fakes—has aroused more attention from Internet security watchers, especially after a weekend pharm attack said to exploit a flaw in the Symantec firewall.
That flaw, according to published reports, spent the weekend drawing visitors to eBay, Google, and weather.com to fake copies that tried slipping spyware on the unsuspecting visitors’ computers. The alarm over pharming comes from the technique’s ability to draw groups of people in, as opposed to its relative phishing, which grabs the unsuspecting one at a time.
"Phishing is to pharming what a guy with a rod and a reel is to a Russian trawler. Phishers have to approach their targets one by one,” said Internet protocol address infrastructure technology prover Nominum’s chief executive, Chris Risley, to Wired. “Pharmers can scoop up many victims in a single pass."
The magazine said some pharming attacks use e-mailed viruses which rewrite local host files on individual personal computers, viruses like Banker, a Trojan horse program. Compromised host files will cause the user to visit the wrong Website even if he or she enters the accurate URL for the intended site, Wired said.
And the most serious such threat, the magazine continued, involves DNS poisoning—altering a DNS numerical string to contain false information about the Web address tied to the string, sending users to fake sites no matter how accurate the URL they enter.
Internet security and antivirus companies are already watching pharming carefully, especially considering just how old the DNS poisoning technique actually is. Senior Sophos security analyst Gregg Mastoras said the DNS system “has inherent design vulnerabilities, and because of the initial design flaws there have been a variety of methods used to create successful attacks. So while DNS poisoning is not new, the dramatic rise of phishing, and more importantly the complexity of the new pharming attacks, is cause for some concern.”
ZDNet UK reported last month that in January a hacker changed the DNS address for New York Internet provider panix.com, changing the company’s ownership from New York to Australia, redirecting server requests to Britain, and redirecting e-mail to Canada, a case which continues under investigation. And, last September, a German teenager hijacked the domain for eBay’s German division domain, with similar attacks since targeting Google and Amazon.com.
No known identity theft cases have arisen from those two pharms, ZDNet UK said.
The Anti-Phishing Working Group, well enough known for monitoring and fighting phishing attacks, has now broadened its scope to track and fight pharming as well. And the special security toolbar designed by Netcraft.com is now being touted as an anti-pharming tool, by displaying the true location of a Website if the DNS cache was “poisoned.”
Netcraft.com also said this weekend’s Google/eBay/weather.com pharm might have been a proof-of-concept attack, sending visitors to the three sites to fakes that turned out to be 7sir7.com, 123xx1.com, and abx4.com, which tried putting spyware on visitor computers.
And other reports have indicated this past weekend was not the first time such an attack was done using those three popular sites as the lures.
