Sourcebase Reports

Country briefing exerts and analysis from KCS Group

Pharming or Phishing: Take Your Pick !

Cyber-criminals certainly have a great sense of humour when it comes to describing their hobbies: phishing, spear-phishing, whaling, and now pharming is the new addition to their ever-increasing list of personal interests and activities. You must be all familiar by now with the dangers of phishing, but what about pharming?

Pharming is the ‘evil twin’ of phishing, which does not rely on sending out emails to thousands of unsuspected online users in order to trap them for personal gain, financial or otherwise. Pharming leverages malicious code, such as viruses, worms, trojans, and spyware to carry out sophisticated cyber-attacks with the ultimate aim of fooling users by redirecting them to fake websites. The crime is commonly perpetrated through cache poisoning of DNS servers or domain hijacking, in which registrars are tricked into moving domains.

Pharming, as mentioned earlier, relies exclusively on changing the DNS entries of an organisation’s website, which can be achieved in multiple ways: hosts file modification; cache poisoning; usage of malwares; domain hijacking; static domain name spoofing. What makes pharming an extremely dangerous practice is that the attack is unrecognisable to even an alert user.

Don’t get me wrong, the problem of cache poisoning and domain hijacking has been around for some time now. However, its technologically and organizationally complex anatomy renders the problem almost invisible when it comes to locating it. The few reported incidents certainly reflect the above point, while at the same time highlighting the severity of the threat.

One of the most prominent pharming incidents involved a worm named ‘Troj/Banker-AJ’, which looked for users visiting certain bank websites, such as Barclays, HSBC, Lloyds, NatWest, Abbey, and Egg and redirected them to phishing sites. The Trojan monitored the user’s internet transactions with an attempt to compromise passwords and other data related to internet banking and other financial transactions.

While the online banking and e-commerce websites are most vulnerable to these types of attacks due to the attractiveness of the data that they harbour internally, it is argued that no industry is immune. The incidents of hacking, online fraud, and identity theft are increasing in number everyday, be they perpetrated by phishing, whaling, or/and pharming techniques. The reality is that such incidents will only be increasing in the future if organizations continue to ignore the urgency of the matter.

Prevention is always better than recovery. Therefore, it is important to employ a holistic approach to preventing any types of cyber-attacks, be they pharming or phishing attacks. Education is the first step in enabling employees and customers to recognise the attempted fraud. This can be achieved by increasing the awareness of users to do the following:

1. Verify whether the ‘https’ word is present at the beginning of the URL
2. Double click on the yellow lock icon at the bottom of the page accessed to see the certificate details and verifying the same
3. Call the company whether in doubt of the authenticity of the website

It is now imperative for every organisation, irrespective of the industry and nature of its business, to provide guidelines to their employees to inform them about the inherent dangers of both phishing and pharming attacks.

Technology is the second pillar of prevention. However, technology should not be viewed in isolation from education. On the contrary, it should complement education, rather than be a substitution. Implementing the following pre-emptive steps at the enterprise and customer levels will provide an additional level of protection again such attacks:

1. Implement URL blocking, filtering rules either on the host or gateway
2. Implement stronger authentication, such as two factor authentication (hardware tokens or client certificates), or mutual authentication between client and server
3. Prevent cross-site scripting vulnerabilities in the website by implementing central input data validation for malicious characters
4. Block the admin pages through robots.txt

Law enforcement is the third and final pillar in the defensive stance against pharming attacks. The United States, for instance, displays a number of legal instruments pertinent to identity theft, wire fraud, mail fraud, computer fraud and abuse that are in place to fight cyber-crime.

The following instruments are reflective of the above practice: the Identity Theft Penalty Enhancement Act of 2004, the Anti-Phishing Act of 2004, the Identity Theft and Assumption Deterrence Act of 1998, the Fair and Accurate Credit Transactions Act of 2003, the USA Patriot Act, and the Gramm-Leach Bliley Act. Equally, there are a number of European legal instruments that contain provisions on identity theft and fraud.

Pharmers usually pack up and leave before the victim can discover the scam, making it extremely difficult for authorities to prosecute. Therefore, there is a strong need for diverse actors, such as Government authorities, financial institutions, cyber security firms, Internet Services Providers (ISP), and technology vendors to put on a united front and share information and techniques to address this problem.

The KCS Group is amongst such industry associations offering consolidated technical advice on the means and ways of preventing pharming, phishing, and spoofing. If you have fallen victim to these types of cyber-crimes, or you know somebody who has, please do not hesitate to contact us.



This entry was posted on October 8, 2015 by in Uncategorized.
%d bloggers like this: