If not redirected, please click here https://www.thesecuritybuddy.com/phishing/what-is-pharming-and-how-to-prevent-it/
Pharming is a
scamming technique in which attackers redirect traffic of a
legitimate website to another fraudulent website with the purpose of
spreading malware or stealing sensitive data from victims. A typical
example of pharming will be – a user types amazon.com in the URL
bar, but gets redirected to a fraudulent website which looks
identical to Amazon website. And, when the user types in his
credentials or banking details, the information directly goes to the
attackers. Attackers often use several techniques to make it
possible.
Pharming vs Phishing
In phishing,
attackers typically send a victim an email or SMS containing a link
or tricks the victim into clicking on a malicious link in some other
way. The malicious link may point to a website which looks quite
identical to some legitimate website. If the victim does not
understand the trickery and ends up giving sensitive details like
credentials or banking information, the information directly goes to
the attackers. So, in other words, in a phishing scam, attackers may
use an identical looking website, but URL of the website will be
different from the actual one, though a victim may not notice the
difference and fall prey.
In pharming, on the
other hand, a victim types the correct URL of a legitimate website,
yet he gets redirected to an identical looking fraudulent website.
Attackers often use techniques like DNS Cache Poisoning or compromise
host file in a computer to make it possible.
So, in other words,
phishing typically uses a bait in the form of a phony email, link or
attachment to redirect a user to a fraudulent website, whereas
pharming can automatically redirect a user to a fraudulent website,
even though the user has typed in the correct URL in the address bar.
How is Pharming done ?
Two major techniques
used by attackers in pharming are host file modification and DNS
Cache Poisoning. Let’s understand in more detail how these two
methods are actually used in pharming.
Pharming using host file modification
When we type a URL
in the address bar of a browser, the URL gets converted into a IP
address and the IP address is then used to access the actual website.
A computer often uses a host file to map IP addresses. A host file is
an operating system file that maps hostnames to IP addresses.
Attackers often use malware to compromise the host file in a
computer, so that when a user types in a legitimate website in the
address bar of a browser, the browser gets the IP address of the
fraudulent website instead and the user gets redirected to the
malicious website, though he typed in the correct URL.
Pharming using DNS Cache Poisoning
When we type a URL
of a website in the address bar of the browser, our computer contacts
the Domain Name Servers or DNS Servers to resolve the IP address of
the website. Now, the Internet does not have a single DNS Server,
because that would be very inefficient. Instead, our ISP runs its own
DNS Servers, which cache information from other DNS Servers. Our home
router has its own DNS Server, which caches information from ISP's
DNS Servers. And, our computer has a local DNS cache, which stores
responses of previous DNS queries made by the computer.
The
function of DNS cache is to store responses of previously made
DNS queries, so that next time the same DNS query is made, it doesn't
have to contact the DNS Servers again. Instead, it can retrieve the
IP address from its cache.
DNS
Cache is said to be poisoned when stores a malicious entry instead of
a valid one. For example, if we type google.com, for the first time
our computer will make a DNS query to appropriate DNS Server and once
it gets a response, it will store the IP address of google.com in its
DNS Cache, with a timestamp up to which the entry remains valid.
Within that time, if we type google.com again, our computer will look
at its DNS Cache for the entry.
Suppose,
our computer has made a DNS query and waiting for a response from the
DNS Servers. But, instead of an authentic response it gets a response
containing IP address of the attacker's website. So, its DNS Cache
will be poisoned and next time onwards whenever the computer will try
to resolve the IP address of the same URL, it will end up being to
the attacker's website.
In
similar way, DNS Cache of any DNS Server also may get poisoned.
Because, ISP's DNS Server gets response from other DNS Servers and it
stores the responses in its cache. If that cache is poisoned, the
same poisoned entry will spread to all home routers and from them to
all computers.
Attackers
often use DNS Cache Poisoning for the purpose of pharming. They
poison the DNS Cache to store IP address of their malicious website,
so that even though a user types in the correct URL, the browser gets
IP address of the fraudulent website and the user gets redirected to
the attackers’ website even though he typed in the correct URL.
How to prevent Pharming ?
We
can always take a couple of steps to protect ourselves in a better
way.
-
ISPs can do much to prevent pharming. They can filter out malicious redirects up to a great extent. So, use a trusted ISP. Rigorous security at the ISP level can be a good first line of defense against pharming.
-
It is always a good practice to look at the address bar of a browser and check whether there is any spelling mistakes in the URL before providing any credentials to the website.
-
Pharmers often target banking and ecommerce websites. So, before typing in any financial details, it is always a good practice to verify whether HTTPS is being used. No legitimate website will transfer any sensitive information without using HTTPS.
-
It is always a good practice to verify the digital certificate of a website when you have any doubt. You can go to browser properties menu and click on the “Certificate” tab to verify whether the website is using a secure certificate from its legitimate owner.
-
Look at the padlock of the address bar of a browser to verify whether the connection is secure. An unlocked padlock indicates an unsecured connection.
-
Use anti-malware programs from trusted sources and keep them updated regularly. Some anti-malware programs can detect pharming.
-
Keep your Operating System and browser updated with recent security patches. Attackers often exploit security vulnerabilities present in a system to infect the system. More updated a software is, lesser are its security vulnerabilities.
No comments:
Post a Comment