You probably think youre pretty safe from phishing attacks, right? After all, how difficult is it to ignore a “security warning” from a bank you dont do business with? Or a non-grammatical message purportedly from PayPal that says your account is about to be turned off?
Ive avoided those scams and even bogus messages “from” banks I actually do business with. Why do they want this information from me? Theyve lost my password? Sure they have.
Still, not everyone is as smart—make that cynical—as you and I. So phishing is likely to be one of the biggest threats to computer users during 2005 and probably for years to come. Spam, which is merely annoying, doesnt start to compare to full-bore identity theft thanks to entering personal information in the wrong place.
Like most people do, I sometimes enter personal information online. I do this when I go to Web sites. The most extensive information goes to e-stores where I want to shop. And also like most people, I count on Amazon.com or wherever Im shopping to answer when I type in their URL and press the enter key. I believe I am entering information in the “right” place and so far, as best I can tell, it always has been.
Not so fast, warns my friend Scott Chasin, CTO at MX Logic, a Denver-based messaging and anti-spam company. Scott has identified a new threat that hes calling “pharming.” If the current method is “Phishing for dummies” (because the victims ought to know better), Scotts new threat is “Pharming for geniuses” because most victims—even smart ones—might have no idea that they were being scammed. At least not until its too late.
I should take a moment here to mention that when Scott told me about pharming, almost a month ago now, he could find no instances of it actually being used. Scott, however, went on the stump talking to the media about this pharming threat.
I hate to be indelicate, but having someone whose job it is to serve and protect his e-mail customers offering new ideas to the bad guys is a bit like a Secret Service agent going on Jay Leno to explain how someone might injure a dignitary. “Jay, this is what Squeaky Fromme did wrong…”
Todays phishing attack usually consists of an official-looking e-mail from a bank, credit card company or other financial services provider. Some of what passes for “official-looking” would be pretty hilarious if it didnt seem to actually work sometimes. Sometimes a half-dozen of these make it through my spam filter in a single day.
Inside the message is a link to what looks like an official Web site but is actually a clever-to-clumsy-looking scam that gathers personal account information, passwords, Social Security numbers and other information useful to crooks.
Chasin expects this first-generation phishing to move toward pharming, which involves Trojans, worms, or other technology that attack the browser address bar. Thus, when users type in a “valid” URL they are redirected to the criminals Web sites.
Another way to accomplish the same thing is to attack the DNS system rather than individual machines. Do this and conceivably everyone who enters what seems like a valid URL—the one that worked properly moments before—will instead be taken to the scammers site.
Scott sent me was a list of pharming-like attacks that have already taken place. These include an incident last November, when Google and Amazon users were sent to “Med Network,” an online pharmacy. The Troj Banker A/j worm, seen last November and December, watched for users to visit specific banking sites and then grabbed the personal information entered there for use by the criminal pharmers.
Depending on how you look at it, a less-criminal incident involved the March 2003 hijacking of the Al-Jazeera site by the “Freedom Cyber Force Militia” using DNS poisoning. The message viewers received: “God bless our troops.”
There are remedies for the pharming problem. A simple solution that works in some cases is a browser plug-in from Netcraft that displays information about the site being visited, such as its geographic location. If you notice that your mortgage companys site is being served from somewhere in the former Soviet Union, you can safely assume the worst.
Some financial institutions are already experimenting with “multi-factor authentication” including things like automatic telephone callbacks asking the user to confirm that a valid online transaction is about to take place. New Zealands ASB Bank sends “Netcodes” as SMS messages to customers wireless handsets to verify certain transactions. The user then enters the received Netcode into their browser for verification of identity.
Chasin says other pharmer-fighting technologies are possible, including means for browsers and HTTP clients to authenticate the identity of a particular Web site. This could be done by way of a public DNS address. The approach is similar to that used in e-mail authentication protocols.
So while pharming may not yet be upon us, I agree with Chasin that it soon will be. My hope is that “soon” will be later, as most of us are completely defenseless against a well-organized pharming attack.