Monday, April 10, 2017

What is Pharming ?



Pharming is a scamming technique in which attackers redirect traffic of a legitimate website to another fraudulent website with the purpose of spreading malware or stealing sensitive data from victims. A typical example of pharming will be – a user types amazon.com in the URL bar, but gets redirected to a fraudulent website which looks identical to Amazon website. And, when the user types in his credentials or banking details, the information directly goes to the attackers. Attackers often use several techniques to make it possible.




Pharming vs Phishing


In phishing, attackers typically send a victim an email or SMS containing a link or tricks the victim into clicking on a malicious link in some other way. The malicious link may point to a website which looks quite identical to some legitimate website. If the victim does not understand the trickery and ends up giving sensitive details like credentials or banking information, the information directly goes to the attackers. So, in other words, in a phishing scam, attackers may use an identical looking website, but URL of the website will be different from the actual one, though a victim may not notice the difference and fall prey.

In pharming, on the other hand, a victim types the correct URL of a legitimate website, yet he gets redirected to an identical looking fraudulent website. Attackers often use techniques like DNS Cache Poisoning or compromise host file in a computer to make it possible.

So, in other words, phishing typically uses a bait in the form of a phony email, link or attachment to redirect a user to a fraudulent website, whereas pharming can automatically redirect a user to a fraudulent website, even though the user has typed in the correct URL in the address bar.


How is Pharming done ?


Two major techniques used by attackers in pharming are host file modification and DNS Cache Poisoning. Let’s understand in more detail how these two methods are actually used in pharming.


Pharming using host file modification


When we type a URL in the address bar of a browser, the URL gets converted into a IP address and the IP address is then used to access the actual website. A computer often uses a host file to map IP addresses. A host file is an operating system file that maps hostnames to IP addresses. Attackers often use malware to compromise the host file in a computer, so that when a user types in a legitimate website in the address bar of a browser, the browser gets the IP address of the fraudulent website instead and the user gets redirected to the malicious website, though he typed in the correct URL.

Pharming using DNS Cache Poisoning


When we type a URL of a website in the address bar of the browser, our computer contacts the Domain Name Servers or DNS Servers to resolve the IP address of the website. Now, the Internet does not have a single DNS Server, because that would be very inefficient. Instead, our ISP runs its own DNS Servers, which cache information from other DNS Servers. Our home router has its own DNS Server, which caches information from ISP's DNS Servers. And, our computer has a local DNS cache, which stores responses of previous DNS queries made by the computer.

The function of DNS cache is to store responses of previously made DNS queries, so that next time the same DNS query is made, it doesn't have to contact the DNS Servers again. Instead, it can retrieve the IP address from its cache.

DNS Cache is said to be poisoned when stores a malicious entry instead of a valid one. For example, if we type google.com, for the first time our computer will make a DNS query to appropriate DNS Server and once it gets a response, it will store the IP address of google.com in its DNS Cache, with a timestamp up to which the entry remains valid. Within that time, if we type google.com again, our computer will look at its DNS Cache for the entry.

Suppose, our computer has made a DNS query and waiting for a response from the DNS Servers. But, instead of an authentic response it gets a response containing IP address of the attacker's website. So, its DNS Cache will be poisoned and next time onwards whenever the computer will try to resolve the IP address of the same URL, it will end up being to the attacker's website.

In similar way, DNS Cache of any DNS Server also may get poisoned. Because, ISP's DNS Server gets response from other DNS Servers and it stores the responses in its cache. If that cache is poisoned, the same poisoned entry will spread to all home routers and from them to all computers.

Attackers often use DNS Cache Poisoning for the purpose of pharming. They poison the DNS Cache to store IP address of their malicious website, so that even though a user types in the correct URL, the browser gets IP address of the fraudulent website and the user gets redirected to the attackers’ website even though he typed in the correct URL.


How to prevent Pharming ?


We can always take a couple of steps to protect ourselves in a better way.

  • ISPs can do much to prevent pharming. They can filter out malicious redirects up to a great extent. So, use a trusted ISP. Rigorous security at the ISP level can be a good first line of defense against pharming.
  • It is always a good practice to look at the address bar of a browser and check whether there is any spelling mistakes in the URL before providing any credentials to the website.
  • Pharmers often target banking and ecommerce websites. So, before typing in any financial details, it is always a good practice to verify whether HTTPS is being used. No legitimate website will transfer any sensitive information without using HTTPS.
  • It is always a good practice to verify the digital certificate of a website when you have any doubt. You can go to browser properties menu and click on the “Certificate” tab to verify whether the website is using a secure certificate from its legitimate owner.
  • Look at the padlock of the address bar of a browser to verify whether the connection is secure. An unlocked padlock indicates an unsecured connection.
  • Use anti-malware programs from trusted sources and keep them updated regularly. Some anti-malware programs can detect pharming.
  • Keep your Operating System and browser updated with recent security patches. Attackers often exploit security vulnerabilities present in a system to infect the system. More updated a software is, lesser are its security vulnerabilities.

No comments:

Post a Comment