Pharming - a New Technique for Internet Fraud

Total Page:16

File Type:pdf, Size:1020Kb

Pharming - a New Technique for Internet Fraud Fernando de la Cuadra International Technical Editor Panda Software (http://www.pandasoftware.com) E-mail: [email protected] Pharming - a new technique for Internet fraud Hackers appear to have an increasing interest in reaping financial reward from their actions and creations. If until now, phishing –using emails to lure users into entering data into spoofed online banking websites- was one of the most widespread fraud techniques, ‘pharming’ now poses an even greater threat. Basically, pharming involves interfering with the name resolution process on the Internet. When a user enters an address (such as www.pandasoftware.com) this needs to be converted into a numeric IP address as 62.14.63.187. This is known as name resolution, and the task is performed by DNS (Domain Name System) servers. These servers store tables with the IP address of each domain name. On a smaller scale, in each computer connected to the Internet there is a file that stores a table with the names of servers and IP addresses so that it is not necessary to access the DNS servers for certain server names. Pharming consists in the name resolution system modification, so that when a user thinks he or she is accessing to bank’s web page, he or she is actually accessing the IP of a spoofed site. Phishing owed its success to social engineering techniques, despite that not all users take the phishing bait, and so this success was limited. Also, each phishing attack was aimed at one specific type of banking service, further reducing the chances of success. Pharming on the other hand, can affect a far greater number of online banking users. In addition, pharming isn’t just a one-off attack, as is the case with phishing emails, but remains present on the computer waiting for the user to access the banking services. The solution against this new kind of fraud lies, as ever, in antivirus security solutions. Pharming attacks depend on an application in the compromised system (this could be an exe file, a script, etc). But before this application can run, obviously it needs to reach the operating system. Code can enter the system through numerous channels, in fact, in as many ways as information can enter the system: el e-mail (the most frequent), Internet downloads, copied directly from CD or floppy, etc. In each of these information entry points, the antivirus has to detect the file with the malicious code and eliminate it, provided that is, it is registered as a dangerous application in the antivirus signature file. Unfortunately, the propagation speed of malware today is head-spinning, and there more malicious creators and offering their source code to the rest of the hacker community to create new variants and propagate even more attacks. The virus laboratories don’t have enough time to prepare the malware detection and elimination routines for new malicious code before they start spreading to a few PCs. Despite the efforts and improvements from virus labs, it is physically impossible for them to prepare an adequate solution in time against some of these threats that can spread in just a few minutes. The solution against these kinds of threats should not therefore depend, at least not in the front line of protection, on a reactive solution based on viral identifier files but rather systems that detect the actions that theses threats carry out. In this way, every time there is an attempted attack on the computer’s DNS system (as in the case of pharming applications), the attack is recognized and blocked along with the program carrying out the attack. However, there is an added danger with pharming, which lies in anonymous proxy servers. Many users want to hide their identity (their IP address) when using the Internet and use online proxy servers so that the connection is made under the server IP and not the client IP. In a worst case scenario, one of these proxy servers could have its name resolution system poisoned so that users trying to access their bank website, could actually be viewing a spoofed site, even though their local name resolution system is operating perfectly. Opinion Article – March 2005 Page 1 of 2 In any event, the threat that pharming poses is a serious one, although one that is easily resolved. Only with systems that can detect and block changes in IP address resolution systems in computers can we hope to prevent the avalanche of malicious code that will soon be upon us. Fernando de la Cuadra International Technical Editor Panda Software (http://www.pandasoftware.com) E-mail: [email protected] Opinion Article – March 2005 Page 2 of 2 .
Recommended publications
  • (Fake Websites) Spam, Phishing and Pharming Are All Terms Relating to Dubious
    Spam (Junk email and Phishing email) and Pharming (fake websites) Spam, phishing and pharming are all terms relating to dubious online practices, either to sale goods or services online or to gain access to confidential information, often with malicious intent. Spam is the term used to describe unwanted (junk) emails that are typically distributed in bulk. Spam messages will typically contain commercial content – examples include pornography, pharmaceuticals, dubious financial transactions, or ‘too good to be true’ offers. In most cases, spam emails are sent with fraudulent intent, but there are also cases where reputable companies or private users send mass emails too. An example of Junk email: (to many recipients, requesting a response) Spam can also be used to launch phishing attacks where users are sent emails tricking them into ‘updating’ their personal details online via a fake website (imitating a bank or similar). The tricky part is that phishers pretend to be someone you know, like a bank or even a department from right here at Purdue, to make you think they are trustworthy. That’s why it’s so important to keep in mind that CLA-IT or any other Purdue department will NEVER, under any circumstance, ask you for your login information via email or web form. Anyone asking for this type of information via email is undoubtedly a fraud. Spam can also be used as a means of distributing malicious software, which can install key-logging software on your PC without your knowledge. Pharming is the term used to describe the process of redirecting users to a fraudulent copy of a legitimate website, again with the aim of stealing personal data and passwords for criminal intent.
    [Show full text]
  • How to Analyze the Cyber Threat from Drones
    C O R P O R A T I O N KATHARINA LEY BEST, JON SCHMID, SHANE TIERNEY, JALAL AWAN, NAHOM M. BEYENE, MAYNARD A. HOLLIDAY, RAZA KHAN, KAREN LEE How to Analyze the Cyber Threat from Drones Background, Analysis Frameworks, and Analysis Tools For more information on this publication, visit www.rand.org/t/RR2972 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0287-5 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2020 RAND Corporation R® is a registered trademark. Cover design by Rick Penn-Kraus Cover images: drone, Kadmy - stock.adobe.com; data, Getty Images. Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface This report explores the security implications of the rapid growth in unmanned aerial systems (UAS), focusing specifically on current and future vulnerabilities.
    [Show full text]
  • Five Threats Series: Threat 2 – Ransomware Attack
    405(d) Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) Five Threats Series: Threat 2 – Ransomware Attack March 2019 In Partnership With The 405(d) Aligning Health Care Industry Security Practices initiative, along with the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) publication and this engagement are in partnership with the Healthcare & Public Health Sector Coordinating Council (HSCC) 2 Agenda Time Topic Speaker 5 Minutes Opening Remarks & Introductions 5 Minutes CSA Section 405(d)’s Mandate, Purpose, and Desired Goals 5 Minutes HICP Overview 10 Minutes Using HICP and Supporting Resources 40 Minutes Threat 2 – Ransomware Attack and Mitigating Practices 5 Minutes Looking Forward 5 Minutes Upcoming 5 Threats 15 Minutes Questions 3 CSA Section 405(d)’s Mandate, Purpose, and Desired Goals Cybersecurity Act of 2015 (CSA): Legislative Basis CSA Section 405 Improving Cybersecurity in the Health Care Industry Section 405(b): Health Section 405(c): Health Section 405(d): Aligning care industry Care Industry Health Care Industry preparedness report Cybersecurity Task Force Security Approaches 5 Industry-Led Activity to Improve Cybersecurity in the Healthcare and Public Health (HPH) Sector WHAT IS THE 405(d) EFFORT? WHO IS PARTICIPATING? An industry-led process to develop The 405(d) Task Group is consensus-based guidelines, convened by HHS and comprised practices, and methodologies to of over 150 information security strengthen the HPH-sector’s officers, medical professionals, cybersecurity posture against privacy experts, and industry cyber threats. leaders. HOW WILL 405(d) ADDRESS HPH WHY IS HHS CONVENING THIS CYBERSECURITY NEEDS? EFFORT? With a targeted set of applicable To strengthen the cybersecurity & voluntary practices that seeks posture of the HPH Sector, to cost-effectively reduce the Congress mandated the effort in cybersecurity risks of healthcare the Cybersecurity Act of 2015 organizations.
    [Show full text]
  • Vulnerability Management: Overview
    Resource ID: w-013-3774 Cybersecurity Tech Basics: Vulnerability Management: Overview SEAN ATKINSON, CIS™ (CENTER FOR INTERNET SECURITY), WITH PRACTICAL LAW INTELLECTUAL PROPERTY & TECHNOLOGY Search the Resource ID numbers in blue on Westlaw for more. A Practice Note providing an overview of what Design, implementation, or other vendor oversights that create defects in commercial IT products (see Hardware and Software cyber vulnerability management programs Defects). are, how they work, and the key role they play Poor setup, mismanagement, or other issues in the way an in any organization’s information security organization installs and maintains its IT hardware and software components (see Unsecured Configurations). program. This Note discusses common types of Vulnerability management programs address these issues. Other cyber vulnerabilities and core process steps for common vulnerabilities that organizations must also tackle in their implementing and maintaining a vulnerability information security programs include: management program to decrease cybersecurity Gaps in business processes. Human weaknesses, such as lack of user training and awareness. risks. It also addresses common pitfalls that Poorly designed access controls or other safeguards. can lead to unnecessary cyber incidents and Physical and environmental issues. data breaches. Unlike threats, organizations can often directly control their vulnerabilities and therefore minimize the opportunities for threat actors. Most organizations depend on a combination of commercial and custom-developed hardware and software products to support their Organizations that develop their own in-house software should information technology (IT) needs. These technology components use security by design techniques to avoid creating vulnerabilities. inevitably include vulnerabilities in their design, setup, or the code that For more information on assessing overall data security risks and runs them.
    [Show full text]
  • Cyber Threat Metrics
    SANDIA REPORT SAND2012-2427 Unlimited Release Printed March 2012 Cyber Threat Metrics Mark Mateski, Cassandra M. Trevino, Cynthia K. Veitch, John Michalski, J. Mark Harris, Scott Maruoka, Jason Frye Prepared by Sandia National Laboratories Albuquerque, New Mexico 87185 Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy's National Nuclear Security Administration under contract DE-AC04-94AL85000. Approved for public release; further dissemination unlimited Issued by Sandia National Laboratories, operated for the United States Department of Energy by Sandia Corporation. NOTICE: This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government, nor any agency thereof, nor any of their employees, nor any of their contractors, subcontractors, or their employees, make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represent that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, any agency thereof, or any of their contractors or subcontractors. The views and opinions expressed herein do not necessarily state or reflect those of the United States Government, any agency thereof, or any of their contractors. Printed in the United States of America. This report has been reproduced from the best available copy.
    [Show full text]
  • Component 3 Learning Aim B Cyber Security- B1 Threats to Data Why Systems Are Attacked
    Component 3 Learning Aim B Cyber Security- B1 Threats to Data Why Systems are Attacked Key Vocabulary Intellectual Property An idea that you invented that belongs to you, for example, an image that is copyrighted. Ransomware A form of malware, usually infecting unprotected digital systems, occurring when users open malicious email attachments. Malware A malicious form of software that is transferred to, and then executed on, a user’s machine to damage or disrupt the system or allow unauthorised access to data. Denial-of-Service (DoS) attacks Attack a remote computer by making it unable to respond to legitimate user requests. Cybersecurity The combination of policies, procedures, technologies and the actions of individuals to protect from both internal and external threats. Organisations have become reliant on digital systems to hold data and perform vital business functions. Data and information theft Many organisations have their digital systems attacked daily. Industrial Espionage Data and information both have value as they can be sold The reasons these attacks may occur are varied Intellectual property (designs, business strategy for financial gain. etc) can be stolen through organised cyberattacks. This can be done by stealing customer payment information and then using it to purchase goods These types of assets can be highly valuable, leading •Fun/ illegally. to cheaper, fake copies of products being sold and Breaches of data and information are a major cause of •challenge the original organisation suffering a loss of income. identity theft. •Data and Financial Gain Fun/ Challenge •Industrial information • Hackers may attack systems for the thrill, adrenaline espionage theft A very simple motive: money.
    [Show full text]
  • Phishing – a Growing Threat to E-Commerce
    Phishing – A Growing Threat to E-Commerce M. Tariq Banday* and Jameel A. Qadri** * Department of Electronics & Instrumentation Technology, The University of Kashmir, Srinagar – 190006, email: [email protected]. ** School of Computing, Middlesex University, Hendon, London, UK, email: [email protected]. Abstract: In today’s business environment, it is difficult to imagine a workplace without access to the web, yet a variety of email born viruses, spyware, adware, Trojan horses, phishing attacks, directory harvest attacks, DoS attacks, and other threats combine to attack businesses and customers. This paper is an attempt to review phishing – a constantly growing and evolving threat to Internet based commercial transactions. Various phishing approaches that include vishing, spear phishng, pharming, keyloggers, malware, web Trojans, and others will be discussed. This paper also highlights the latest phishing analysis made by Anti-Phishing Working Group (APWG) and Korean Internet Security Center. Introduction commerce has given a boon to both customers and Electronic Commerce (E-Commerce) is commercial businesses by driving down costs and prices. E- transactions conducted electronically especially commerce allows real-time business across using a computer over a large network like Internet. geographical borders round the clock. In developed It involves exchange of business information using countries almost all business employs e-commerce electronic data interchange (EDI), email, electronic or has e-commerce provisions and in developing bulletin boards, fax transmissions, electronic funds countries like India, it is registering a rapid growth transfer, etc. Internet shopping, online stock and in terms of both popularity among consumers and bond transactions, selling and purchase of soft the revenue generated through e-commerce merchandise like documents, graphics, music, (Vashitha–2005).
    [Show full text]
  • Sources of Threats and Threats in the Cyber Security
    DAAAM INTERNATIONAL SCIENTIFIC BOOK 2019 pp. 321-330 Chapter 27 SOURCES OF THREATS AND THREATS IN THE CYBER SECURITY JAN SVOBODA, LUDEK LUKAS Abstract: The article presents a brief analysis of selected threats to their sources. The introduction presents the difference between the source of the threat, the threat and the risk. In the next chapter, attention is paid to the most commonly occurring threats in cyberspace and the following are specific sources of threats responsible for individual threats. The actual process of spreading specific threats in cyberspace, the relationship between the threat and the reference object and the difference in targeting the threats towards the reference objects are already listed in the last chapter. Predictions of future threats and necessary protection tools are listed in the final chapter. Key words: Cyberspace, Source of the Threat, Reference Object, Targeted, Omnidirectional Authors´ data: Svoboda, J[an]; Lukas, L[udek], Tomas Bata University in Zlín nám. T. G. Masaryka 5555, 76001 Zlín, CZ, [email protected], [email protected] This Publication has to be referred as: Svoboda, J[an] & Lukas, L[udek] (2019). Sources of Threats and Threats in the Cyber Security, Chapter 27 in DAAAM International Scientific Book 2019, pp.321-330, B. Katalinic (Ed.), Published by DAAAM International, ISBN 978-3-902734-24-2, ISSN 1726-9687, Vienna, Austria DOI: 10.2507/daaam.scibook.2019.27 321 Svoboda, J. & Lukas, L.: Sources of Threats and Threats in the Cyber Security 1. Introduction Cyber security is a relatively new field of security, and so cyber security is associated with progressive developments and a wide range of threat sources.
    [Show full text]
  • Detection of Pharming Attack on Websites Using Svm Classifier
    INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 8, ISSUE 11, NOVEMBER 2019 ISSN 2277-8616 Detection Of Pharming Attack On Websites Using Svm Classifier Saloni Manhas, Swapnesh Taterh, Dilbag Singh Abstract: Attackers are constantly trying to con users and organizations to cause financial damage, loss of sensitive information, and ruin their reputation. Pharming attacks are becoming a headache for website users due to its severe consequences. This attack is achieved by stealing user’s credentials and redirect them to malicious websites by using DNS based techniques. Therefore, to give additional safety Transport Layer Security/Secure Sockets Layer (TLS/SSL) was introduced. It operates by authorizing the actual web server for you to the customer, vice a new versa in so doing each party confirming the actual reliability by using digital certificates. However, SSL is still vulnerable to pharming attacks. Results show that the proposed technique provides 97% accuracy along with high performance in F-measure, sensitivity and specificity which is commendable and proves that SVM is an adequate machine learning method to successfully carry out detection of pharming attack. Index Terms: Phishing, Support Vector Machine (SVM), Secure Socket Layer (SSL) attacks, Malicious websites, Pharming, Machine learning, Network attacks. —————————— —————————— 1. INTRODUCTION DNS cache poisoning, pharming attack is executed and It is quite evident that all of the advances seen in the leaves user facing dire consequences like password information technology realm helped both the good guys hijacking, stolen credentials etc. It is often said that HTTP and the bad. Subsequently, we have seen a steep increase should not be used to pass sensitive information.
    [Show full text]
  • Counter-Phishing Recommendations for Federal Agencies
    CAPACITY ENHANCEMENT GUIDE Counter-Phishing Recommendations for Federal Agencies AUDIENCE AND SCOPE AT-A-GLANCE This guide recommends technical capabilities to protect federal agency email systems and networks against malicious phishing emails. RECOMMENDATIONS This guide provides information to inform federal agencies’ executive Secure Email Gateway Capabilities leadership (senior risk official, chief information officers, and chief o Deploy email filters information security officers) and also provides sufficient detail to o Deploy sandboxing or detonation support a technical discussion with implementation teams. chambers This guide is applicable—outside of federal agencies—to state, local, Protect Outbound Web-Browsing tribal, and territorial governments and commercial industry. o Block known malicious sites and Capacity Enhancement Guides support CISA’s role as the Nation’s top-level domains cybersecurity risk advisor by sharing high-priority recommendations, o Block specific file types from best practices, and operational insights in response to systemic threats, leaving the network vulnerabilities, and risks. Harden User Endpoints o Employ multi-factor authentication INTRODUCTION o Secure browsers Protect Endpoints Email systems are the preferred attack vector for malicious phishing Block malicious macros by default campaigns. Recent reporting shows 32 percent of breaches involve o Deploy antivirus software and phishing attacks, and 78 percent of cyber-espionage incidents are enabled o host-based intrusion detection by phishing.i,ii Additionally, cyber attackers often take advantage of current and prevention systems events, and recent phishing and ransomware campaigns have targeted critical infrastructure sectors. Given the recent shift to an extended remote workforce, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends agencies prioritize the protection of email systems.
    [Show full text]
  • Informational Supplement Best Practices on Spyware Prevention and Detection the Internet Has Become a Popular Method for Both C
    Informational Supplement Best Practices on Spyware Prevention and Detection The Internet has become a popular method for both conducting business and managing finances through online banking relationships. While most financial institutions and some individuals have taken steps to protect their computers, many firewall and anti-virus software packages do not protect computers from one of the latest threats, “spyware” – a form of software that collects personal and confidential information about a person or organization without their proper knowledge or informed consent, and reports it to a third party. This informational supplement describes the various challenges and best practices related to spyware. Financial institutions should consider these recommendations to prevent and detect spyware on both bank-owned and customer computers. Spyware Infection Spyware is usually installed without a user’s knowledge or permission. However, users may intentionally install spyware without understanding the full ramifications of their actions. A user may be required to accept an End User Licensing Agreement (EULA), which often does not clearly inform the user about the extent or manner in which information is collected. In such cases, the software is installed without the user’s “informed consent.” Spyware can be installed through the following methods: • Downloaded with other Internet downloads in a practice called “bundling.” In many cases, all the licensing agreements may be included in one pop-up window that, unless read carefully, may leave the user unaware of “bundled” spyware. • Directly downloaded by users who were persuaded that the technology offers a benefit. Some spyware claims to offer increased productivity, virus scanning capabilities or other benefits.
    [Show full text]
  • Drive-By Pharming
    Drive-By Pharming Sid Stamm1, Zulfikar Ramzan2, and Markus Jakobsson1 1 Indiana University, Bloomington IN, USA 2 Symantec Corporation, Mountain View CA, USA Abstract. This paper describes an attack concept termed Drive-by Pharm- ing where an attacker sets up a web page that, when simply viewed by the victim (on a JavaScript-enabled browser), attempts to change the DNS server settings on the victim’s home broadband router. As a result, future DNS queries are resolved by a DNS server of the attacker’s choice. The attacker can direct the victim’s Internet traffic and point the victim to the attacker’s own web sites regardless of what domain the victim thinks he is actually going to, potentially leading to the compromise of the victim’s credentials. The same attack methodology can be used to make other changes to the router, like replacing its firmware. Routers could then host malicious web pages or engage in click fraud. Since the attack is mounted through viewing a web page, it does not require the attacker to have any physical proximity to the victim nor does it re- quire the explicit download of traditional malicious software. The attack works under the reasonable assumption that the victim has not changed the default management password on their broadband router. 1 Introduction Home Networks & Drive-by Pharming. Home broadband routers are becoming more popular as people wish to share broadband Internet access with, or provide wireless access to, all computers in their homes. These routers typically run a web server, and configuration of the router is done through a web-management interface.
    [Show full text]