Alarm over pharming attacks: identity theft made even easier
By Robert Vamosi Senior editor, CNET Reviews February 18, 2005

Hopefully, we've all become wise to phishing attacks, so named because they cast the bait (via e-mail) and if you bite, they can lure your personal information out of you. These scams are now fairly recognizable and usually arrive as a note from a bank asking you to go to its site (link provided, of course) to reenter your most personal information. The fact that a bank wouldn't really need your mother's maiden name might tip you off. Most likely, though, you spot the misspellings in this bogus e-mail, or you're otherwise savvy to the identity theft scam and immediately trash these messages unread.

So what if I told you phishing is just kid stuff compared to what's coming next?

The danger here is that you no longer have to click an Email link to hand over your personal information to identity thieves

In January, I started hearing about these new "pharming" attacks, a supposed successor to the now familiar e-mail phishing attacks. Gerhard Eschelbeck, CTO of Qualys, a vulnerability management company, told me recently that pharming is simply a new name for a relatively old concept: domain spoofing. Rather than spamming you with e-mail requests, pharmers work quietly in the background, "poisoning" your local DNS server by redirecting your Web request somewhere else. As far as your browser's concerned, you're connected to the right site. The danger here is that you no longer have to click an e-mail link to hand over your personal information to identity thieves.

The DNS system
To understand pharming, you need a little background on DNS. Throughout the Internet, a series of domain name servers (DNS) quietly resolve the familiar addresses you type into specific Internet addresses. These servers are basically large directories of common names such as Amazon, Google, and Microsoft, and IP-specific addresses that you never see. For example, if you type www.cnet.com, this request goes to your nearest DNS server, which then locates the registered Internet address for the Web server at CNET Networks. It's much more convenient than always remembering 222.123.0.0 or something similar.

However, this translation is also a weak link in the Internet's infrastructure. With every Internet request first bouncing off a DNS server somewhere on the planet, criminal hackers realized (some time ago) that rather than flooding a specific domain and effectively hiding it from the rest of the world (in what's known as a denial-of-service attack), they can either change the DNS record or take down the DNS system all together.

DNS poisoning
In October of 2002, criminal hackers (crackers) attempted just that: they directed a denial-of-service attack at the 13 high-level, or root, DNS servers located throughout the world. Although 10 of the 13 failed and went offline, the Internet itself didn't fail. Why? Because the subservers that most people actually access when they type in a URL all have 24-hour cache backups of popular addresses. In other words, there are enough redundancies to keep everything running.

Just watching the address bar on your Internet browser won't inform you of any hijacks; to you, the URL and possibly even the spoofed financial site will look just fine.

But DNS poisoning is a whole different kettle of fish (so to speak), and much more subtle than what I just described. When a cracker poisons a DNS server, he or she changes the specific record for a domain, sending you to a Web site very different from the one you intended to access--without your knowledge. Usually, the cracker does this by posing as an official who has the authority to change the destination of a domain name. DNS poisoning is also possible via software vulnerability, however. A white paper by Joe Stewart from the security company Lurhq and published on SecurityFocus offers more about DNS poisoning, including its history.

Consider Panix, Amazon, and Google
In January of 2005, someone fraudulently changed the DNS address for the domain panix.com, a New York State Internet service provider. Ownership of the company was changed from New York to Australia. Requests to reach the panix.com server were redirected to the United Kingdom, and e-mail was redirected to Canada. State and federal authorities are currently investing this case.

Prior to that, in September 2004, a teenager in Germany managed to hijack the domain for eBay.de. I could go on. Other attacks have targeted Amazon.com and Google.com. There were no immediate reports of identity theft resulting from these specific events.

Solutions
Unfortunately, just watching the address bar on your Internet browser won't inform you of any hijacks; to you, the URL and possibly even the spoofed financial site will look just fine. In order to remove pharming as a threat, servers would have to add another layer of authentication: they would need to prove to you that they are who they say they are and establish a trusted link between you and them. That would require the site to obtain a certificate from a certificate authority, such as VeriSign. According to Eschelbeck, most Internet browsers already have the ability to check for the presence of server certificates right now: the problem is on the server side.

A few sites already offer certificates. When you visit these sites, you see a dialog box asking you if you want to trust the certificate; if the name on the certificate doesn't match the site you're attempting to reach, you know that something is amiss, and hopefully you leave. Perhaps your target site (your bank's URL) has been hijacked. If the certificate is OK, you then save the certificate so that when you next return, your browser will know it's reached the right address. You would then log in to the site. There's a slight trade-off in convenience, but the security's worth the added steps.