Understanding PHARMING

by: Zarex dela Cruz, CISSP, CISA on Tuesday, March 17, 2009 4:18 PM

pharmingA follow up on my previous entry about Phishing, here comes another threat on the Net – Pharming. As discussed earlier, phishers bait potential users with genuine looking email to convince victims by taking action to expose critical or personal information. A typical example is an email requesting you to update your password or provide your bank account information. Or asking you to click on the link to update your data. Be aware that banks do not email their customers asking them to change their password or provide their PIN or confidential data. They have better and more secure communication channels to acquire those.

But here comes the joy, or the trouble in this case. Pharming attacks usually do not require convincing emails. It is also more wide-coverage than phishing. While phishing trick victims using a genuine looking emails or links, pharming goes deeper underground in planting a seed for its farm err, pharm?

Pharming cultivation

The technique used in Pharming is not new. In fact it had been around for long. The difference, however, is the intention. They want your identity or data. Pharming takes advantage of hacking DNS (Domain Name Server) such as cache poisoning, spoofing, and hijacking. Let’s see how this works.

How Pharming Works

How Pharming Works

  1. An attacker exploits vulnerabilities of a DNS. Using crafted responses or take advantage of a vulnerability, an attacker can poisoned the DNS cache and can change valid entries. Internally, a disgruntled engineer can even manipulate the host lookup on these servers. Externally, attackers can take advantage of the operating systems vulnerabilities.
  2. A user wants to go to a website securetoday.net and enter in the browser.
  3. The user’s computer queries the DNS to resolve the site. Now, DNS being poisoned resolved the site to the nefarious fake website and redirected to securetodat.net.
  4. User unaware of what happened thinks he is on the correct website.

Of course, the fake website has to be designed as close as possible to convince the victims that they are on the correct website. On the website, they can ask the user to login, provide confidential information, and more.

Wall of Sheep

I will discuss the actual and real meaning of Wall of Sheep on a separate article. For now, let me relive one of the cool projects we did back in those college days. The Wall of Sheep was our final project in our “Hacker Tools and Techniques” class. My team mate and I took advantage of iWhack, an (old and already decommissioned) distro of a Knoppix. I think it has been integrated with BackTrack now.

Using the DNS redirect/spoofing program built into the Knoppix, we were able to take advantage of our existing DNS server at school and redirect traffic. We configured it to redirect traffic of the email functions of Yahoo, Hotmail, and AOL. I have developed three local virtual sites from my laptop running Apache that is so identical in look and feel of that Yahoo email, Hotmail and AOL email. Behind the login page is the code where I strip off the email address and password, save it in a database, and export it to the Wall of Sheep.

Users who logs in to these fake pages would get invalid error messages at first try. Behind the scene, my code is actually stealing their information. They are then redirect to another local page on my Apache server. The DNS-redirect program knows this page and ignores it, and then redirect it to the actual Yahoo or Hotmail login page. Cool?

The Wall of Sheep is viewed by anyone in our class during the project presentation, but it had been running for few days. It listed down actual compromised emails. We did not display their passwords for their protection but we kept them to use in exchange of something. Like their watch or backpack. Just kidding.

That example above is a type of Pharming. We took advantage of the DNS traffic by intercepting traffic from the wire (non-switched environment) and redirect all queries to our rogue DNS where we explicitly defined which addresses to redirect and to where.

The virtual sites I’ve created are the fake websites that fools victims in thinking they are on the correct website. Only to find out that they weren’t but instead, are now being viewed on the Wall of Sheep in class. I think we got an A in that class?

Any advices for users?

  • I mentioned it in my Phishing article, one of the best ways to countermeasure this is awareness. By understanding and learning how these attacks work, you can add extra caution to your day to day works. By simply enumerating your emails which is trusted and not trusted. If it sounds too good to be true? Watch out! It may sound too good to be true, but with a catch. That catch might be the big fish that Phishers have been waiting to have.
  • Installing anti-virus is a must. You should not be reading this article, I really meant, surfing the Internet, without latest and up-to-date antivirus software. They are not really expensive compare to the loss you can have if you are compromised.
  • Install anti-spyware programs also can help check your computer if there are any programs running in your computer or can even monitor phishing attacks real time. I’ve tried AdAware, Spybot S&D. The new Windows Defender also is good. As with anti-virus, anti-spyware programs need to be updated with the latest definitions. They are as good as not having one if you are not up-to-date.
  • Most, if not all browsers today supports, or even comes built-in with site-checker. The new Internet Explorer comes with this feature to check whether your accessing a site that is safe or not. McAfee’s Site Advisor is also a good program you can take advantage to install on your browsers. It may affect a small performance but it help you in real-time to detect whether the site you are about to access is bad.
  • Also, most user ignore these, but check for the Security Alerts that pops up when you are accessing an SSL-enabled site (https://). Check those whether you are on the wrong site, or the site certification is expired. This certificates proves the website who they said they are. So don’t just ignore those. Check if the site certificate is invalid. It could mean that it is not a trusted site and I don’t encourage you to proceed.

So in our world, we thank our Farmers for doing the best they do to give us the food we eat on our tables. But in our Security IT world, watch out for those ‘pharmers’, they want the food on your table scrape out.

1 Response to Understanding PHARMING

  1. Rogue Spyware says:

    July 16th, 2010 at 8:12 PM

    Wow, wall of sheep.. not heard this term. Good info. Built in website checker is a huge heads up I recommend.

Leave a comment