Avoiding Internet Pitfalls: “Pharming” attacks

Written by eric on August 11, 2008. Posted in Using the Internet.

Pharming is a name given to a computer hacker’s attempt to redirect traffic from a legitimate web site to a very similar but bogus web site.

Pharming is similar to phishing in that the goal of the hacker is to steal login and other sensitive financial and identifying information from users. However, while phishing depends upon the user clicking a link in an email, pharming can direct numerous users to an impostor web site without their knowledge, where those users are prompted to provide login usernames and passwords and other information. To draw a comparison, while Phishing is similar to actual fishing with a line and a hook to get a single “bite” at a time, Pharming is like fishing with a large invisible net, scooping up several victims all at once.

Victims of pharming begin by entering the URL domain address for a web site they wish to visit into the address bar of a web browser, but instead of reaching the intended web site destination a rather convincing impostor web site is visited instead. Once the user enters his information into the bogus site, the hacker has it.

You may wonder how a correctly-entered URL address can take a user to a bogus web site instead of the real thing. This usually happens through DNS cache poisoning in which the hacker hacks into a Domain Name Server on the internet and changes the settings within to redirect web traffic.

A Domain Name Server is used by Internet Service Providers to allow internet-connected computers to visit web sites through the entry of simple domain name URL addresses (http://www.yahoo.com for example) rather than requiring users to know and enter full numeric IP addresses (http://69.147.76.15 which is the IP address for the Yahoo site). A Domain Name Server functions sort of like a map or traffic cop of the internet, directing connections to destination servers. In the instance of a DNS server which has been compromised or “poisoned” the conversion from the entered address to the numeric IP address is used to re-route the traffic to a different server instead of the intended one through a different numeric IP address, which the viewer usually never sees.

A variation known as “drive-by pharming” occurs when a hacker infiltrates the wireless network of a home or business and changes the settings on the computer’s host file to cause it to use a different DNS server (one which is controlled by the hacker) and then redirects traffic. The “drive-by” attack is so named because most wireless networks penetrate the walls of a building and have a range which reaches nearby streets, allowing a hacker to try to access the network from his car.

The biggest problem with pharming attacks is that they are virtually impossible to notice by the user. Due to this, the best ways to avoid becoming a victim of pharming are all of a preventative nature:

• Be sure to use a password on your wireless router, and don’t use the default password or one that can be easily guessed (for helpful tips see our previous article on Choosing safe passwords).
• Use a Firewall, which may prevent a hacker from accessing your computer’s host file if he penetrates your wireless network. Windows and Mac computers have a built-in software firewall under the Control Panel or System Preferences; make sure it is turned on. Many modems and routers also include a firewall feature. Configure your firewall(s) to offer the highest level of protection while still allowing your activities (email, instant messaging, etc.) to function.
• Use only secure web connections to access web sites where you will provide sensitive personal or financial information. Hypertext Transfer Protocol over Secure Socket Layer (or HTTPS) connections can be established by entering the URL address with “https” at the beginning rather than the usual “http”… for example, to visit the Bank of America web site using a secure connection one would enter https://www.bankofamerica.com/ into the address bar. Most web browsers will then show a padlock symbol to indicate that a secure connection is established, which will encrypt any information you enter into the site.
• Web sites which support the HTTPS protocol are sometimes referred to as “pharming-conscious” (or “PhC”) web sites. if an impostor site attempts to present itself as a pharming-conscious web site, the viewer will see an alert message indicating that “the name on the security certificate is invalid or does not match the name of the site” like the following:

Should you see a message like this one, you should click No as proceeding may expose you to a pharming web site.