Pharming on the Net

Paladion
By Paladion

March 15, 2006

You must be well aware of phishing and its potential to cause damage. They bait bank customers with genuine looking emails and manage to usurp money or personal information from unsuspecting customers with reasonable success. Pharming is phishing on steroids.

You must be well aware of phishing and its potential to cause damage. They bait bank customers with genuine looking emails and manage to usurp money or personal information from unsuspecting customers with reasonable success. You are also aware that responding to mails sent by your bank may not be a good idea because banks never require to send emails to get your credentials. They have more secure channels to get that information.

However, pharming attacks do not require an attacker to send mails. By carrying out pharming attacks, a criminal can get access to a wider target than phishing emails and as quickly as possible. Hence the 'ph' effect on the word 'farming'. They are not fishing, they are farming for gullible people! By the way, 'pharming' is a real dictionary word.

How Pharming works

Pharming attacks do not take advantage of any new technique. They use the well known DNS cache poisoning, domain spoofing and domain hijacking techniques that have been around for quite long. However, the motives of carrying out these attacks have changed. Earlier they were interested in just disrupting services and causing nuisance. But now, the game has become a matter of money than that of chest thumping. These techniques continue to exist because administrators and website owners don't care to secure and monitor their DNS servers while they have invested millions of dollars in application firewalls.

Let's take a look at how a typical pharming attack is carried out:

How Pharming Works
  1. The attacker targets the DNS service used by the customer. This server can be a DNS server on the LAN or the DNS server hosted by an ISP for all users. The attacker, using various techniques, manages to change the IP address of 'www.nicebank.com' to the IP address of a webserver which contains a fake replica of nicebank.com.
  2. User wants to go the website 'www.nicebank.com' and types the address in the web browser.
  3. User's computer queries the DNS server for the IP address of 'www.nicebank.com'.
  4. Since the DNS server has already been 'poisoned' by the attacker, it returns the IP address of the fake website to the user's computer.
  5. The user's computer is tricked into thinking that the poisoned reply is the correct IP address of the website. The user has now been fooled into visiting the fake website controlled by the attacker rather than the original www.nicebank.com website.

Once the attacker has managed to get the user to visit the fake website, there are many ways in which the user can be tricked into revealing his /her credentials or giving out personal information. The beauty, or let's say, the notoriety of pharming over phishing is evident from the fact that one successful attempt in poisoning the DNS server can be potentially used to trick all the users of that DNS service. Much less effort and wider impact than phishing.

Tricks of the trade

So how does the attacker manage to get the DNS entries for the bank website changed? There are multiple ways to do it:

Local host lookup

All modern operating systems have locally stored files which contain a mapping between an alias and its IP address. Phishers take advantage of OS vulnerabilities to modify these host lookup files and insert malicious mappings in them. One such mapping would look like this:

193.1.2.4 www.nicebank.com

where 193.1.2.4 is the IP address of the fake website, not the original. However, since the phisher has to gain access to the user's system, the impact of this technique is limited. But if there is a malicious administrator around in your office or company, the potential to cause harm still exists.

DNS cache poisoning

All DNS servers cache the queries that users have made for a certain period of time. This is done to speed up the responses to users for frequently used domains. This cache maintained by the DNS server can be poisoned by using malicious responses or taking advantage of vulnerabilities in the DNS software itself.

Domain Hijacking

I'll explain this with an actual incident that took place a year ago. Panix, an ISP based in New York was the target of a domain hijack attack.

All domains are typically registered with 'registrars' which store information about the owner of a domain and location of the domain's DNS servers. If any of this information is required to be changed, the approval of the domain owner is required. A domain owner can even switch registrars depending on costs and convenience. However, confirmation of the switch is required from all three parties, the domain owner, the old registrar and the new registrar.

In case of Panix, a change was initiated by an unknown person in Australia. The person managed to skip confirmation from the old registrar and the domain owner. This was because the new registrar was not following the domain transfer process strictly. The result was, the unknown person managed to gain control over the panix.com domain completely. The person managed to divert all the web traffic of panix.com and customer emails to another server located in Canada.

Domain hijacking has the widest impact because the attacker targets the domain registration information itself.

Registration of similar sounding domains

Similar sounding or similar looking domains are another source of security issues for internet users. An attacker can register a domain 'www.n1cebank.com' and carry out pharming and phishing attacks on unsuspecting customers who don't notice the difference in the letter 'i' being replaced by a '1'.

Also domain names created by typos on the original words (e.g. www.nicebqnk.com) manage to attract a lot of traffic. One such study on a popular domain cartoonnetwork.com shows that one in four people visiting the website incorrectly type a simple name like cartoonnetwork.com. So what about 'typo domains'? One quick search in Google reveals that it is quite a big concern. An attacker can easily buy typo domains and setup his fake website on these domains to fool unsuspecting visitors.

What website developers should do

Given the distributed nature of pharming attacks, it is difficult to prevent them completely. However the following precautions can be taken:

  1. Use SSL certificates to help establish the true identity of your website. SSL certificates cannot be duplicated and thus are very effective in alerting a user about a pharming attack. It is also observed that many websites do not have their main login pages on SSL. Make sure the login page of your application is also on an https URL.
  2. Ensure that the DNS servers have been secured and hardened. The important point to note is to switch off recursive queries in the DNS server configuration. Hardening guides for most DNS servers are available either with the server documentation or on the Internet. DNSSEC is the next generation security for DNS servers. Although it does not promise total protection against Pharming, it will definitely help implement secure communication between DNS servers.
  3. Use readily available online services to alert any changes in your domain's registrar or DNS configuration. Examples are Markmonitor.com, Domain Monitor, Name Warden, etc. Whois.sc has a service called Mark Alert which alerts you if someone registers a domain name close to the keywords that you have defined previously.
  4. One of the key points in thwarting pharming and phishing attacks is to allow the user to differentiate a fake website from a genuine website. The use of visual cues makes it possible to do so. When a user logs on correctly, the website shows a visual cue, such as an easily identifiable symbol in a coloured box. The cue is unique for each user but is the same everytime the user logs in. This way the user knows he is visiting a genuine website. A fake website would not be able to generate the exact same visual cue for users of the genuine website. Identity Cues is one such readily available product which helps implement visual cues on your website..
  5. An anti-pharming tool is available for Windows-based servers. Called 'AntiPharming', it passively protects the server from pharming attacks which use DNS poisoning techniques.
  6. Ofcourse, we cannot forget multi-factor and token based authentication as an effective tool against phishing and pharming. These mechanisms help introduce another layer of security even when a user has compromised his login credentials on a fake website. Time-based tokens are very difficult to duplicate and reuse by a pharming criminal.
  7. Educating website users on phishing and pharming scams is equally important. The basic human nature of trust is the key factor for phishing and pharming scams to be successful. Users should be warned and updated about new phishing / pharming scams and how they can stay safe.
  8. Keep simple names for your domains, which can be easily recalled by customers and which are lesser prone to typos.

What you as a user can do

  • The best defense against phishing and pharming scams is to distrust email messages purportedly sent by your bank or mails which ask your personal information.
  • If you visit an SSL-enabled website, look out for this warning message window. If you get it, doubly check if the website you are visiting gave this message in earlier instances. Check if the URL is the same that you intend to go to. This message window generally appears when the server SSL certificate is not matching with the website URL and if the certificate has expired. It could also mean it is not signed by a trusted root Certificate Authority.
  • Install and run anti-spyware tools which can also monitor phishing attacks. AdAware, Windows Defender, Spybot Search and Destroy are a few anti-spyware tools which also have anti-phishing checks. Ensure that the spyware signatures are updated to the latest versions.
  • Install anti-phishing / anti-pharming tools for web browsers. These tools help differentiate a genuine website from a fake website. For example, the anti-phishing tool SpoofStick prominently displays the correct website name in the browser. Its an effective tool against similar sounding and typo domains. Following are some of the commonly used anti-phishing tools:
    1. Google Safe browsing for Mozilla Firefox
    2. Netcraft Toolbar
    3. Microsoft Phishing filter for MSN toolbar
    4. Cloudmark Anti-Fraud toolbar
    5. PhishGuard

Here's to a safe and secure internet browsing future!

Additional Resources


Tags: Features, Best Practices

About

Paladion