stefan and zogo small Help Stefan Campaign
If you can spare $1 then help support this site and change someone's life forever? Learn how and why on the Help Stefan campaign page.

Pharming

Introduction

Pharming is a lot more technical than the other scams described in this section of the site. But that is not to say it's not a serious threat. Indeed, because it relies on behind-the-scences interventions it can be harder to spot and combat than the other scams described here.

Pharming is an attack perpetrated by a cracker which aims to re-direct a website's traffic to another bogus website. The word itself is a play on farming and Phishing. The fraud is perpetrated by either changing the hosts file on the victim's computer or by exploiting a vulnerability in DNS server software and compromised computers are sometimes referred to as having been 'poisoned'.

How Pharming Works

Admittedly this is a little technical, but please bear with me. Each computer on the internet (called a host) has an address called an IP Address (for Internet Protocol Address). This is unique and points specifically at that host. Currently the standard for these addresses is IPv4 which is 32-bit though IPv6 (a 64-bit standard is being introduced). These numbers are generally represented as what's termed a 'dotted quad'; an example being '192.168.3.79'. Machines on the Internet identify each other by using their IP addresses, and every portion of data transmitting on the Internet (packet) is tagged with the IP addresses of the putative sender and intended recipient: this can be considered as the rough equivalent of a telephone number.

The problem is that humans are very bad at remembering long strings of numbers. As a result there are directories that map the IP numbers onto something that's easier for people to remember, like a web address. For web adresses these mappings are maintained by a system called DNS (Domain Name System) and these map web addresses such as 'celtnet.org.uk' to the IP number of the machine hosting the domain. This DNS mapping can be thought of as the internet equivalent of a telephone directory that maps the name of a person or business to a telephone number.

Because all the user is entering is a web address and the mapping to the domain name which gives the real address of that website is handled by the DNS system this potentially makes the system vulnerable. If a criminal could hijack the DNS server he could change the IP address of the real website to any website he required. As a result a criminal could set-up a fake website that looked exactly like a real website but was located elsewhere. Using DNS re-mapping he could then direct people to this fake website which could be used to obtain sensitive information from the victim. As a result the most popular targets are banking and e-commerce sites where credit card and account information are entered.

Internet Vulnerabilities

In theory malicious changes to domain name lookups could occurr anywhere in the network of computers that participate in domain-name lookups the reality is that the home PC is by far the most vulnerable part of the entire system. This relies both in the generally poorer security on home computers and in the fact that PCs utilize their own Hosts file for domain lookups. Indeed, the hosts file can circumvent name lookup with its own local name to IP address mapping. As a result, this file is a very popular target for malware which attempt to re-write the file. If the hosts file is re-written then a legitimate request for a sensitive website (such as a bank site, PayPal or an e-commerce site) can be directed to a fraudulent copy.

Although far more difficult to implement than alteration of a local PC's Hosts file a potentially more serious attack is one that compromises a local network router. These are network devices that buffer and forward data packets across an internetwork toward their destinations. Routers act as a junction between two or more networks to transfer data packets between them. Because most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire LAN. Even worse, compromise of a local router is very difficult to detect. To compromise a router would require the malconfiguration of existing settings (using an administration password to specify a particular trusted DNS in place of the one suggested by an upstream node) or wholesale re-write of the router's firmware.

Most routers (like most computers) have the ability to replace their firmware. If the firmware upgrade or patch is written cleverly then a malicious firmware replacement can be very difficult to detect. The machine will appear to behave the same as previously and the administration page will look the same, settings will appear correct, etc.

A recent report by Stamm, Ramzan and Jakobsson (Indiana University Bloomington, December 13, 2006) introduced a theoretical scenario where a malicious JavaScript could be used to change a router's DNS server in what they termed Drive-by Pharming.

Many of the pharming techniques and vulnerabilities described above are of little more than academic interest. However, there is one more vulnerability that offers a very serious threat. This is due to the ubiquity of wireless routers in the homes of many internet users. Many of these routers can be administered via wireless access and this presents a major vulnerability. This is due to the fact that the majority of users of such devices work with the router's default settings and don't even bother to change the initial administrative password. Even if the password is altered many can be guessed quickly through dictionary attacks as most consumer grade routers don't introduce timing penalties for incorrect login attempts. Once administrative access is granted, all of the router's settings including the firmware itself may be altered. These factors conspire to make drive-by router compromise a very real threat.

Moreover, anti-virus and anti-spyware software cannot protect against pharming and sophisticated measures known as anti-pharming are required to protect against this serious threat.

If you are a home user then anti-malware software will aid against Hosts file-based attacks. If you have a wireless router then change the initial settings and use a strong password (a password that includes a mix of alphabetic and numeric characters in a mix of cases and which do not spell-out a word) to protect the router from Drive-by Pharming attacks.