Pharming: Difference between revisions

Content deleted Content added

Inline

Latest revision as of 20:00, 26 April 2024

Pharming^[a] is a cyberattack intended to redirect a website's traffic to another, fake site by installing a malicious program on the victim's computer in order to gain access to it.^{[citation needed]} Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real IP addresses. Compromised DNS servers are sometimes referred to as "poisoned". Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server.^{[citation needed]}

The term "pharming" is a neologism based on the words "farming" and "phishing". Phishing is a type of social-engineering attack to obtain access credentials, such as user names and passwords. In recent years, both pharming and phishing have been used to gain information for online identity theft. Pharming has become of major concern to businesses hosting ecommerce and online banking websites. Sophisticated measures known as anti-pharming are required to protect against this serious threat. Antivirus software and spyware removal software cannot protect against pharming.

Pharming vulnerability at home and work[edit]

While malicious domain-name resolution can result from compromises in the large numbers of trusted nodes from a name lookup, the most vulnerable points of compromise are near the leaves of the Internet. For instance, incorrect entries in a desktop computer's hosts file, which circumvents name lookup with its own local name to IP address mapping, is a popular target for malware. Once rewritten, a legitimate request for a sensitive website can direct the user to a fraudulent copy. Personal computers such as desktops and laptops are often better targets for pharming because they receive poorer administration than most Internet servers.

More worrisome than host-file attacks is the compromise of a local network router. Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire LAN. Unlike host-file rewrites, local-router compromise is difficult to detect. Routers can pass bad DNS information in two ways: misconfiguration of existing settings or wholesale rewrite of embedded software (aka firmware). Many routers allow the administrator to specify a particular, trusted DNS in place of the one suggested by an upstream node (e.g., the ISP). An attacker could specify a DNS server under his control instead of a legitimate one. All subsequent resolutions would go through the bad server.

Alternatively, many routers have the ability to replace their firmware (i.e. the internal software that executes the device's more complex services). Like malware on desktop systems, a firmware replacement can be very difficult to detect. A stealthy implementation will appear to behave the same as the manufacturer's firmware; the administration page will look the same, settings will appear correct, etc. This approach, if well executed, could make it difficult for network administrators to discover the reconfiguration, if the device appears to be configured as the administrators intend but actually redirects DNS traffic in the background. Pharming is only one of many attacks that malicious firmware can mount; others include eavesdropping, active man in the middle attacks, and traffic logging. Like misconfiguration, the entire LAN is subject to these actions.

By themselves, these pharming approaches have only academic interest. However, the ubiquity of consumer grade wireless routers presents a massive vulnerability. Administrative access can be available wirelessly on most of these devices. Moreover, since these routers often work with their default settings, administrative passwords are commonly unchanged. Even when altered, many are guessed quickly through dictionary attacks, since most consumer grade routers don't introduce timing penalties for incorrect login attempts. Once administrative access is granted, all of the router's settings including the firmware itself may be altered. These attacks are difficult to trace because they occur outside the home or small office and outside the Internet.

Instances of pharming[edit]

On 15 January 2005, the domain name for a large New York ISP, Panix, was hijacked to point to a website in Australia. No financial losses are known. The domain was later restored on 17 January, and ICANN's review blames Melbourne IT (now known as "Arq Group") "as a result of a failure of Melbourne IT to obtain express authorization from the registrant in accordance with ICANN's Inter-Registrar Transfer Policy."^[1]

In February 2007, a pharming attack affected at least 50 financial companies in the U.S., Europe, and Asia. Attackers created a similar page for each targeted financial company, which requires effort and time. Victims clicked on a specific website that had a malicious code. This website forced consumers' computers to download a Trojan horse. Subsequent login information from any of the targeted financial companies was collected. The number of individuals affected is unknown but the incident continued for three days.^[2]

In January 2008, Symantec reported a drive-by pharming incident, directed against a Mexican bank, in which the DNS settings on a customer's home router were changed after receipt of an e-mail that appeared to be from a legitimate Spanish-language greeting-card company.^[3]

Controversy over the use of the term[edit]

The term "pharming" has been controversial within the field. At a conference organized by the Anti-Phishing Working Group, Phillip Hallam-Baker denounced the term as "a marketing neologism designed to convince banks to buy a new set of security services".

Notes[edit]

^ The word "pharming" is pronounced as "farm-ing".

References[edit]

^ "ICANN review blames Melb IT for hijack". The Sydney Morning Herald. March 16, 2005.
^ "Pharming Attack Targeted Bank Customers Worldwide". PCWorld. 2007-02-22. Retrieved 2020-07-24.
^ Messmer, Ellen (January 22, 2008). "First case of "drive-by pharming" identified in the wild". Network World.

Sources

"Security: Phishing and Pharming". Windows IT Pro Magazine. June 22, 2005. Archived from the original on August 11, 2005.
"How Can We Stop Phishing and Pharming Scams?". CSO Magazine. July 20, 2005. Archived from the original on November 24, 2005.

External links[edit]

After Phishing? Pharming!

[pro-1] The word "pharming" is pronounced as "farm-ing".

[2] "ICANN review blames Melb IT for hijack". The Sydney Morning Herald. March 16, 2005.

[3] "Pharming Attack Targeted Bank Customers Worldwide". PCWorld. 2007-02-22. Retrieved 2020-07-24.

[4] Messmer, Ellen (January 22, 2008). "First case of "drive-by pharming" identified in the wild". Network World.

[a]

[1]

[2]

[3]

@@ Line 1: / Line 1: @@
+{{hatnote group|
-{{hatnote|This article is about cyberattacks. For other uses, see [[Pharming (genetics)]] and [[Pharming party]]. It is not to be confused with [[Farming]].}}
+{{about|a kind of cyberattack|other uses|Pharming (genetics)|and|Pharming party}}
-{{Refimprove|date=January 2009}}
+{{distinguish|Farming}}
-'''Pharming'''{{efn|The word "pharming" is pronounced as "farm-ing".|name=pro}} is a [[cyberattack]] intended to redirect a [[website]]'s traffic to another, fake site. Pharming can be conducted either by changing the [[hosts file]] on a victim's computer or by [[Exploit (computer security)|exploitation]] of a [[vulnerability (computing)|vulnerability]] in [[Domain name system|DNS server]] [[software]]. DNS servers are computers responsible for resolving Internet names into their real [[IP address]]es. Compromised DNS servers are sometimes referred to as [[DNS spoofing|"poisoned"]].
+}}
-Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server.
+{{More citations needed|date=January 2009}}
+'''Pharming'''{{efn|The word "pharming" is pronounced as "farm-ing".|name=pro}} is a [[cyberattack]] intended to redirect a [[website]]'s traffic to another, fake site by installing a malicious program on the victim's computer in order to gain access to it.{{citation needed|date=November 2021}} Pharming can be conducted either by changing the [[hosts file]] on a victim's computer or by [[Exploit (computer security)|exploitation]] of a [[vulnerability (computing)|vulnerability]] in [[Domain name system|DNS server]] [[software]]. DNS servers are computers responsible for resolving Internet names into their real [[IP address]]es. Compromised DNS servers are sometimes referred to as [[DNS spoofing|"poisoned"]]. Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server.{{citation needed|date=November 2021}}
 The term "pharming" is a [[neologism]] based on the words "farming" and "[[phishing]]". Phishing is a type of [[social engineering (computer security)|social-engineering]] attack to obtain [[Authentication|access credentials]], such as [[user name]]s and [[password]]s. In recent years, both pharming and phishing have been used to gain information for [[online identity theft]]. Pharming has become of major concern to businesses hosting [[ecommerce]] and [[online banking]] websites. Sophisticated measures known as [[anti-pharming]] are required to protect against this serious [[threat (computer)|threat]]. [[Antivirus software]] and [[spyware removal software]] cannot protect against pharming.
@@ Line 8: / Line 10: @@
 == Pharming vulnerability at home and work ==
-While malicious domain-name resolution can result from compromises in the large numbers of trusted nodes from a name lookup, the most vulnerable points of compromise are near the leaves of the Internet. For instance, incorrect entries in a desktop computer's ''[[hosts file]]'', which circumvents name lookup with its own local name to IP address mapping, is a popular target for malware. Once rewritten, a legitimate request for a sensitive website can direct the user to a fraudulent copy. Personal computers such as [[Desktop computer|desktops]] and [[Laptop|laptops]] are often better targets for pharming because they receive poorer administration than most Internet servers.
+While malicious domain-name resolution can result from compromises in the large numbers of trusted nodes from a name lookup, the most vulnerable points of compromise are near the leaves of the Internet. For instance, incorrect entries in a desktop computer's ''[[hosts file]]'', which circumvents name lookup with its own local name to IP address mapping, is a popular target for malware. Once rewritten, a legitimate request for a sensitive website can direct the user to a fraudulent copy. Personal computers such as [[Desktop computer|desktops]] and [[laptop]]s are often better targets for pharming because they receive poorer administration than most Internet servers.
-More worrisome than host-file attacks is the compromise of a local [[network router]]. Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire [[Local Area Network|LAN]]. Unlike host-file rewrites, local-router compromise is difficult to detect. Routers can pass bad DNS information in two ways: misconfiguration of existing settings or wholesale rewrite of [[embedded software]] (aka [[firmware]]). Many routers allow the administrator to specify a particular, trusted DNS in place of the one suggested by an upstream node (e.g., the [[Internet Service Provider|ISP]]). An attacker could specify a DNS server under his control instead of a legitimate one. All subsequent resolutions would go through the bad server.
+More worrisome than host-file attacks is the compromise of a local [[network router]]. Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire [[local area network|LAN]]. Unlike host-file rewrites, local-router compromise is difficult to detect. Routers can pass bad DNS information in two ways: misconfiguration of existing settings or wholesale rewrite of [[embedded software]] (aka [[firmware]]). Many routers allow the administrator to specify a particular, trusted DNS in place of the one suggested by an upstream node (e.g., the [[Internet Service Provider|ISP]]). An attacker could specify a DNS server under his control instead of a legitimate one. All subsequent resolutions would go through the bad server.
 Alternatively, many routers have the ability to replace their [[firmware]] (i.e. the internal software that executes the device's more complex services). Like malware on desktop systems, a firmware replacement can be very difficult to detect. A stealthy implementation will appear to behave the same as the manufacturer's firmware; the administration page will look the same, settings will appear correct, etc. This approach, if well executed, could make it difficult for network administrators to discover the reconfiguration, if the device appears to be configured as the administrators intend but actually redirects DNS traffic in the background. Pharming is only one of many attacks that malicious firmware can mount; others include eavesdropping, active [[man in the middle attack]]s, and traffic logging. Like misconfiguration, the entire LAN is subject to these actions.
@@ Line 18: / Line 20: @@
 == Instances of pharming ==
-On 15th January 2005, the domain name for a large New York ISP, [[Panix (ISP)|Panix]], was [[Domain hijacking|hijacked]] to point to a website in [[Australia]]. No financial losses are known. The domain was later restored on 17th January, and [[ICANN]]'s review blames [[Melbourne IT]] (now known as "Arq Group") "as a result of a failure of Melbourne IT to obtain express authorization (sic) from the registrant in accordance with ICANN's Inter-Registrar Transfer Policy."<ref>{{cite news
+On 15 January 2005, the domain name for a large New York ISP, [[Panix (ISP)|Panix]], was [[Domain hijacking|hijacked]] to point to a website in [[Australia]]. No financial losses are known. The domain was later restored on 17 January, and [[ICANN]]'s review blames [[Melbourne IT]] (now known as "Arq Group") "as a result of a failure of Melbourne IT to obtain express authorization from the registrant in accordance with ICANN's Inter-Registrar Transfer Policy."<ref>{{cite news
 | url=https://www.smh.com.au/national/icann-review-blames-melb-it-for-hijack-20050316-gdkxks.html
 | title=ICANN review blames Melb IT for hijack
@@ Line 24: / Line 26: @@
 | publisher=The Sydney Morning Herald}}</ref>
-In February 2007, a pharming attack affected at least 50 financial companies in the U.S., Europe, and Asia. Attackers created a similar page for each targeted financial company, which requires effort and time. Victims clicked on a specific website that had a malicious code. This website forced consumers' computers to download a [[Trojan horse (computing)|Trojan horse.]] Subsequent login information from any of the targeted financial companies was collected.The amount of individuals affected is unknown but the incident continued for three days.<ref>{{Cite web|date=2007-02-22|title=Pharming Attack Targeted Bank Customers Worldwide|url=https://www.pcworld.com/article/129270/article.html|access-date=2020-07-24|website=PCWorld|language=en}}</ref>
+In February 2007, a pharming attack affected at least 50 financial companies in the U.S., Europe, and Asia. Attackers created a similar page for each targeted financial company, which requires effort and time. Victims clicked on a specific website that had a malicious code. This website forced consumers' computers to download a [[Trojan horse (computing)|Trojan horse.]] Subsequent login information from any of the targeted financial companies was collected. The number of individuals affected is unknown but the incident continued for three days.<ref>{{Cite web|date=2007-02-22|title=Pharming Attack Targeted Bank Customers Worldwide|url=https://www.pcworld.com/article/129270/article.html|access-date=2020-07-24|website=PCWorld|language=en}}</ref>
 In January 2008, [[NortonLifeLock|Symantec]] reported a drive-by pharming incident, directed against a Mexican bank, in which the DNS settings on a customer's home router were changed after receipt of an e-mail that appeared to be from a legitimate Spanish-language greeting-card company.<ref>{{cite news
-| url=http://www.networkworld.com/article/2282527/lan-wan/first-case-of--drive-by-pharming--identified-in-the-wild.html
+| url=https://www.networkworld.com/article/809822/lan-wan-first-case-of-drive-by-pharming-identified-in-the-wild.html
 | last=Messmer
 | first=Ellen
@@ Line 38: / Line 40: @@
 ==See also==
+* [[Phishing]]
 * [[DNS spoofing]]
 * [[IT risk]]
 * [[Mutual authentication]]
-* [[Page hijacking]]
 * [[Trusteer]]
@@ Line 56: / Line 58: @@
  |publisher   = Windows IT Pro Magazine
  |url-status     = dead
- |archiveurl  = https://web.archive.org/web/20050811085205/http://www.windowsitpro.com/Article/ArticleID/46789/46789.html?Ad=1
+ |archive-url  = https://web.archive.org/web/20050811085205/http://www.windowsitpro.com/Article/ArticleID/46789/46789.html?Ad=1
- |archivedate = August 11, 2005
+ |archive-date = August 11, 2005
 }}
-* {{cite news|url=http://www.csoonline.com/talkback/071905.html |title=How Can We Stop Phishing and Pharming Scams? |date=July 20, 2005 |publisher=CSO Magazine |url-status=dead |archiveurl=https://web.archive.org/web/20051124105904/http://www.csoonline.com/talkback/071905.html |archivedate=November 24, 2005 }}
+* {{cite news|url=http://www.csoonline.com/talkback/071905.html |title=How Can We Stop Phishing and Pharming Scams? |date=July 20, 2005 |publisher=CSO Magazine |url-status=dead |archive-url=https://web.archive.org/web/20051124105904/http://www.csoonline.com/talkback/071905.html |archive-date=November 24, 2005 }}
 ==External links==