toggle.org, TOGGLE On-line Newsletter

Number 269 - October 2005

First Phishing, Now Pharming
by John Pearce, Pikes Peak Computer Application Society, Colorado Springs, CO
First, there was phishing trying to collect personal information. A newer attack called pharming is trying to do the same thing in a more technologically sophisticated way. You need to be on guard but neither phishing nor pharming should keep you away from the Internet. Let's take a quick overview of both. Phishing starts with an e-mail, typically from a financial institution, with a message that some dire consequences will happen if you don't immediately verify your account information. A web site link is conveniently provided for you in the e-mail. The provided link is to a web page that looks like the real web site but is actually a web site controlled by the bad guys. The fraudulent web page asks you to enter credit card and billing information or possibly user name and password information. You can imagine what the bad guys are going to do with the information they collect. Pharming is a way for the bad guys to redirect your web browsing to a site which they control. Pharming is also known as DNS (Domain Name System) cache poisoning. DNS is what converts human friendly names like webboard.apcug.org to numerical addresses like 192.160.122.122. The bad guys want to impact the largest number of Internet users possible so ISP's and large corporations are the most likely targets of pharming attacks. One goal is to download spyware or adware to your PC. Protecting yourself from phishing attacks is as simple as ignoring the e-mail. All but one of the dozen or so phishing e-mails I have received have been from banks where I don't have an account. In that case, delete the e-mail and go on with your life. If you have an account with the financial institution and are concerned, use the telephone and ask to speak with their Internet security department. If you go to the web site to login, type	the web site URL into the browser - do not use the link provided in the e-mail. Protecting yourself from pharming attacks takes a little effort. Start by keeping your browser updated with all the security patches. Next, you should be sure the padlock icon is displayed on any page where you enter personal information such as username, account number, or password. The padlock icon indicates you are connected to the legitimate owner of the URL and the data you enter is protected by SSL encryption during transmission. The bad guys would have to know the private key of the site in order to make the padlock appear. You can view the security information by double clicking the padlock icon on your browser. You can also use a tool like SpoofStick to confirm the URL of the web page you're viewing. Two other exploits are worth a quick mention. The first is an instant messaging worm that changes the content of the hosts file on your PC. This is effectively the same as DNS cache poisoning. The other exploit is domain hijacking which is done by manipulating the domain name registrars. Domain hijacking is what happened to Panix, a New York ISP, in January. Being aware of phishing and pharming along with a little care and caution will keep your web browsing safe from the bad guys. There is no restriction against any non-profit group using this article as long as it is kept in context with proper credit given the author. The Editorial Committee of the Association of Personal Computer User Groups (APCUG), an international organization of which this group is a member, brings this article to you.
Number 269 - October 2005