Pharming

The bad guys, the people that brought you phishing, have come up with a new strategy to obtain your confidential information.  It is known as pharming.  This is not the farming done in the fields of Iowa and the crop is not corn or wheat but your username, password, SSN, etc. 

Pharming differs from phishing in that it doesn't use a combination of e-mail and social engineering to try to trick users to divulge confidential information, but directs its attack on the computer.  It involves manipulating DNS (Domain Name Server) addresses, in order to redirect visitors to bogus web pages created by the perpetrators to look exactly like the real sites; this is why pharming is also referred to as DNS Poisoning. When the unsuspecting victims try to log into their accounts they are actually feeding a database which the bad guys can then access.

Internet browsers, such as Internet Explorer or Firefox, only understand an Internet address or IP in the following format: 000.000.000.000.  When you type in an Internet address, such as www.microsoft.com, it must be converted into a real IP.  The first place the browser looks for this conversion is the ‘hosts’ file in the Windows directory, if it can’t find it there it accesses a DNS server that is usually provided by your Internet Service Provider (ISP). These servers act like gigantic phone books, translating names into IP addresses and feeding those IP address back to the browser which in turn directs the user to the appropriate web page.

Pharming can either be carried out by changing the information in the DNS servers, so the change of address affects all those using the server on the Internet or it can be carried out locally, by altering the ‘hosts’ file on the individual’s computer. The ‘hosts’ file is a small table with a listing of web servers and their corresponding IP addresses that the user most frequently accesses so that the browser doesn’t need to continually access the DNS server. Pharmers overwrite the legitimate addresses for financial institutions so that when the victims enter an address in the browser, they are directed to the imitation page created by the hacker.

Modification of the ‘hosts’ file can be done directly by hackers (remotely accessing the system) or using malicious code contained in Trojans like Bancos, Banker or Banbra.

There is little that the user can do to prevent poisoning of the DNS servers; however, you can make the ‘hosts’ file inaccessible by setting its properties to read-only.  You will find this file in the C:\windows\system32\drivers\etc folder on Windows XP systems.  Right-click the file and choose Properties, and set the Attributes to Read-Only.

Back