Pharming
Encyclopedia
Pharming is a hacker
's attack aiming to redirect a website
's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file
on a victim’s computer or by exploitation
of a vulnerability
in DNS server
software. DNS servers are computers responsible for resolving Internet names into their real addresses
— they are the "signposts" of the Internet
. Compromised DNS servers are sometimes referred to as "poisoned"
.
The term pharming is a neologism based on farming and phishing
. Phishing is a type of social engineering attack to obtain access credentials
such as user names and password
s. In recent years both pharming and phishing have been used for online identity theft information. Pharming has become of major concern to businesses hosting ecommerce and online banking
websites. Sophisticated measures known as anti-pharming
are required to protect against this serious threat
. Antivirus software
and spyware removal software cannot protect against pharming.
, which circumvents name lookup with its own local name to IP address mapping, is a popular target for malware. Once rewritten, a legitimate request for a sensitive website can direct the user to a fraudulent copy. Desktops
are often better targets for pharming because they receive poorer administration than most internet servers.
More worrisome than host file attacks is the compromise of a local network router.
Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire LAN
. Unlike host file rewrites, local router compromise is difficult to detect. Routers can pass bad DNS information in two ways: malconfiguration of existing settings or wholesale rewrite of embedded software
(aka firmware
). Nearly every router allows its administrator to specify a particular trusted DNS in place of the one suggested by an upstream node (e.g., the ISP
). An attacker could specify a DNS server under his control instead of a legitimate one. All subsequent resolutions will go through the bad server. A scenario involving malicious JavaScript
that changes the router's DNS server is called Drive-By Pharming and realized by Stamm, Ramzan and Jakobsson in a December 2006 technical report.
Alternatively, many routers have the ability to replace their firmware (i.e. the internal software that executes the device's more complex services). Like malware on desktop systems, a firmware replacement can be very difficult to detect. A stealthy implementation will appear to behave the same as the manufacturer's firmware; the administration page will look the same, settings will appear correct, etc. This approach, if well executed, could make it difficult for network administrators to discover the reconfiguration, if the device appears to be configured as the administrators intend but actually redirects DNS traffic in the background. Pharming is only one of many attacks that malicious firmware can mount; others include eavesdropping, active man in the middle attacks, and traffic logging. Like misconfiguration, the entire LAN is subject to these actions.
By themselves, these pharming approaches have only academic interest. However, the ubiquity of consumer grade wireless router
s presents a massive vulnerability
. Administrative access can be available wirelessly on most of these devices. Moreover, since these routers often work with their default settings, administrative passwords are commonly unchanged. Even when altered, many are guessed quickly through dictionary attack
s, since most consumer grade routers don't introduce timing penalties for incorrect login attempts. Once administrative access is granted, all of the router's settings including the firmware itself may be altered. These factors conspire to make drive-by router compromise a clear and present threat. These attacks are difficult to trace because they occur outside the home or small office and outside the internet.
, was hijacked
to point to a site in Australia
. No financial losses are known.
In January 2008, Symantec
reported a drive-by pharming incident directed against a Mexican bank in which the DNS settings on a customer's home router were changed after receipt of an e-mail that appeared to be from a legitimate Spanish-language greeting card company.
, Phillip Hallam-Baker denounced the term as "a marketing
neologism designed to convince banks to buy a new set of security services
".
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
's attack aiming to redirect a website
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file
Hosts file
The hosts file is a computer file used in an operating system to map hostnames to IP addresses. The hosts file is a plain-text file and is conventionally named hosts.-Purpose:...
on a victim’s computer or by exploitation
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
of a vulnerability
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
in DNS server
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
software. DNS servers are computers responsible for resolving Internet names into their real addresses
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
— they are the "signposts" of the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
. Compromised DNS servers are sometimes referred to as "poisoned"
DNS cache poisoning
DNS cache poisoning is a security or data integrity compromise in the Domain Name System . The compromise occurs when data is introduced into a DNS name server's cache database that did not originate from authoritative DNS sources. It may be a deliberate attempt of a maliciously crafted attack on a...
.
The term pharming is a neologism based on farming and phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
. Phishing is a type of social engineering attack to obtain access credentials
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
such as user names and password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
s. In recent years both pharming and phishing have been used for online identity theft information. Pharming has become of major concern to businesses hosting ecommerce and online banking
Online banking
Online banking allows customers to conduct financial transactions on a secure website operated by their retail or virtual bank, credit union or building society.-Features:...
websites. Sophisticated measures known as anti-pharming
Anti-pharming
Anti-pharming techniques and technology are used to combat pharming.Traditional methods for combating pharming include: Server-side software, DNS protection, and web browser add-ins such as toolbars...
are required to protect against this serious threat
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
. Antivirus software
Antivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...
and spyware removal software cannot protect against pharming.
Pharming vulnerability at home
While malicious domain name resolution can result from compromises in the large numbers of trusted nodes that participate in a name lookup, the most vulnerable points of compromise are near the leaves of the internet. For instance, incorrect entries in a desktop computer's hosts fileHosts file
The hosts file is a computer file used in an operating system to map hostnames to IP addresses. The hosts file is a plain-text file and is conventionally named hosts.-Purpose:...
, which circumvents name lookup with its own local name to IP address mapping, is a popular target for malware. Once rewritten, a legitimate request for a sensitive website can direct the user to a fraudulent copy. Desktops
Desktop computer
A desktop computer is a personal computer in a form intended for regular use at a single location, as opposed to a mobile laptop or portable computer. Early desktop computers are designed to lay flat on the desk, while modern towers stand upright...
are often better targets for pharming because they receive poorer administration than most internet servers.
More worrisome than host file attacks is the compromise of a local network router.
Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire LAN
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
. Unlike host file rewrites, local router compromise is difficult to detect. Routers can pass bad DNS information in two ways: malconfiguration of existing settings or wholesale rewrite of embedded software
Embedded software
Embedded software is computer software that plays an integral role in the electronics it is supplied with.Embedded software's principal role is not Information technology , but rather the interaction with the physical world. It's written for machines that are not, first and foremost, computers...
(aka firmware
Firmware
In electronic systems and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices...
). Nearly every router allows its administrator to specify a particular trusted DNS in place of the one suggested by an upstream node (e.g., the ISP
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
). An attacker could specify a DNS server under his control instead of a legitimate one. All subsequent resolutions will go through the bad server. A scenario involving malicious JavaScript
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
that changes the router's DNS server is called Drive-By Pharming and realized by Stamm, Ramzan and Jakobsson in a December 2006 technical report.
Alternatively, many routers have the ability to replace their firmware (i.e. the internal software that executes the device's more complex services). Like malware on desktop systems, a firmware replacement can be very difficult to detect. A stealthy implementation will appear to behave the same as the manufacturer's firmware; the administration page will look the same, settings will appear correct, etc. This approach, if well executed, could make it difficult for network administrators to discover the reconfiguration, if the device appears to be configured as the administrators intend but actually redirects DNS traffic in the background. Pharming is only one of many attacks that malicious firmware can mount; others include eavesdropping, active man in the middle attacks, and traffic logging. Like misconfiguration, the entire LAN is subject to these actions.
By themselves, these pharming approaches have only academic interest. However, the ubiquity of consumer grade wireless router
Wireless router
A Wireless router is a device that performs the functions of a router but also includes the functions of a wireless access point and a network switch. They are commonly used to allow access to the Internet or a computer network without the need for a cabled connection. It can function in a wired...
s presents a massive vulnerability
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
. Administrative access can be available wirelessly on most of these devices. Moreover, since these routers often work with their default settings, administrative passwords are commonly unchanged. Even when altered, many are guessed quickly through dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
s, since most consumer grade routers don't introduce timing penalties for incorrect login attempts. Once administrative access is granted, all of the router's settings including the firmware itself may be altered. These factors conspire to make drive-by router compromise a clear and present threat. These attacks are difficult to trace because they occur outside the home or small office and outside the internet.
Instances of pharming
In January 2005, the domain name for a large New York ISP, PanixPanix (ISP)
Panix is the third-oldest ISP in the world after NetCom and the World. Originally running on A/UX on an Apple Macintosh IIfx, Panix has gone through a number of transitions as the Internet has grown. It maintains a vibrant community of shell users and posters to its private panix.* USENET newsgroups...
, was hijacked
Domain hijacking
Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant....
to point to a site in Australia
Australia
Australia , officially the Commonwealth of Australia, is a country in the Southern Hemisphere comprising the mainland of the Australian continent, the island of Tasmania, and numerous smaller islands in the Indian and Pacific Oceans. It is the world's sixth-largest country by total area...
. No financial losses are known.
In January 2008, Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
reported a drive-by pharming incident directed against a Mexican bank in which the DNS settings on a customer's home router were changed after receipt of an e-mail that appeared to be from a legitimate Spanish-language greeting card company.
Controversy over the use of the term
The term pharming is controversial within the field. At a conference organized by the Anti-Phishing Working GroupAnti-Phishing Working Group
The Anti-Phishing Working Group is an international consortium that brings together businesses affected by phishing attacks, security products and services companies, law enforcement agencies, government agencies, trade association, regional international treaty organizations and communications...
, Phillip Hallam-Baker denounced the term as "a marketing
Marketing
Marketing is the process used to determine what products or services may be of interest to customers, and the strategy to use in sales, communications and business development. It generates the strategy that underlies sales techniques, business communication, and business developments...
neologism designed to convince banks to buy a new set of security services
Security service (telecommunication)
Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation....
".
See also
- DNS cache poisoningDNS cache poisoningDNS cache poisoning is a security or data integrity compromise in the Domain Name System . The compromise occurs when data is introduced into a DNS name server's cache database that did not originate from authoritative DNS sources. It may be a deliberate attempt of a maliciously crafted attack on a...
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- Mutual authenticationMutual authenticationMutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the...
- Page hijackingPage hijackingPage hijacking is a form of search engine index spamming. It is achieved by creating a rogue copy of a popular website which shows contents similar to the original to a web crawler, but redirects web surfers to unrelated or malicious websites...
External links
- BIND 9 DNS Cache Poisoning (DNS Pharming Attack) - Discovered by Amit Klein (Trusteer)
- "The Pharming Guide" by Gunter Ollmann
- ZD Net Article "Alarm over "Pharming" Attacks
- Wired News: Pharming Out-Scams Phishing
- Network World Article on New Anti-Pharming Technology
- eWeek article on the Hushmail.com DNS pharming attack
- After Phishing? Pharming!
- Main Trusteer Wikipedia PageTrusteerTrusteer is a privately held computer security firm responsible for the development of Rapport security software. The company has headquarters in Boston, Massachusetts in the United States.- Rapport software :...