Pharming - a New Technique for Internet Fraud
Total Page:16
File Type:pdf, Size:1020Kb
Fernando de la Cuadra International Technical Editor Panda Software (http://www.pandasoftware.com) E-mail: [email protected] Pharming - a new technique for Internet fraud Hackers appear to have an increasing interest in reaping financial reward from their actions and creations. If until now, phishing –using emails to lure users into entering data into spoofed online banking websites- was one of the most widespread fraud techniques, ‘pharming’ now poses an even greater threat. Basically, pharming involves interfering with the name resolution process on the Internet. When a user enters an address (such as www.pandasoftware.com) this needs to be converted into a numeric IP address as 62.14.63.187. This is known as name resolution, and the task is performed by DNS (Domain Name System) servers. These servers store tables with the IP address of each domain name. On a smaller scale, in each computer connected to the Internet there is a file that stores a table with the names of servers and IP addresses so that it is not necessary to access the DNS servers for certain server names. Pharming consists in the name resolution system modification, so that when a user thinks he or she is accessing to bank’s web page, he or she is actually accessing the IP of a spoofed site. Phishing owed its success to social engineering techniques, despite that not all users take the phishing bait, and so this success was limited. Also, each phishing attack was aimed at one specific type of banking service, further reducing the chances of success. Pharming on the other hand, can affect a far greater number of online banking users. In addition, pharming isn’t just a one-off attack, as is the case with phishing emails, but remains present on the computer waiting for the user to access the banking services. The solution against this new kind of fraud lies, as ever, in antivirus security solutions. Pharming attacks depend on an application in the compromised system (this could be an exe file, a script, etc). But before this application can run, obviously it needs to reach the operating system. Code can enter the system through numerous channels, in fact, in as many ways as information can enter the system: el e-mail (the most frequent), Internet downloads, copied directly from CD or floppy, etc. In each of these information entry points, the antivirus has to detect the file with the malicious code and eliminate it, provided that is, it is registered as a dangerous application in the antivirus signature file. Unfortunately, the propagation speed of malware today is head-spinning, and there more malicious creators and offering their source code to the rest of the hacker community to create new variants and propagate even more attacks. The virus laboratories don’t have enough time to prepare the malware detection and elimination routines for new malicious code before they start spreading to a few PCs. Despite the efforts and improvements from virus labs, it is physically impossible for them to prepare an adequate solution in time against some of these threats that can spread in just a few minutes. The solution against these kinds of threats should not therefore depend, at least not in the front line of protection, on a reactive solution based on viral identifier files but rather systems that detect the actions that theses threats carry out. In this way, every time there is an attempted attack on the computer’s DNS system (as in the case of pharming applications), the attack is recognized and blocked along with the program carrying out the attack. However, there is an added danger with pharming, which lies in anonymous proxy servers. Many users want to hide their identity (their IP address) when using the Internet and use online proxy servers so that the connection is made under the server IP and not the client IP. In a worst case scenario, one of these proxy servers could have its name resolution system poisoned so that users trying to access their bank website, could actually be viewing a spoofed site, even though their local name resolution system is operating perfectly. Opinion Article – March 2005 Page 1 of 2 In any event, the threat that pharming poses is a serious one, although one that is easily resolved. Only with systems that can detect and block changes in IP address resolution systems in computers can we hope to prevent the avalanche of malicious code that will soon be upon us. Fernando de la Cuadra International Technical Editor Panda Software (http://www.pandasoftware.com) E-mail: [email protected] Opinion Article – March 2005 Page 2 of 2 .