SgCERT Advisory No. 012007: Pharming

 

Introduction

Like in all big networks, SabahNet network is not spared from all kind of malicious attacks. Pharming attack targetting e-mail addresses of Sabah Government staff is one of the form of attacks.

 

What is pharming?

Just like in phishing¹ where e-mails received claim to be legitimate in trying to fool users into surrendering confidential information (usually financial related), pharming too involves the same goals but with a different method of attack which in the end will redirect a website’s traffic to point to some bogus websites elsewhere.

 

How pharming works?

Pharming uses spyware, keyloggers, domain spoofing, domain hijacking or domain cache poisoning in such a way that changes are made to the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. In other words, the e-mail contains a virus that installs a small program on users’ computers. When a user tries to go the the bank’s genuine website, the program redirects the browser to the pharmer’s fake website. There, the fake site will ask the user to update personal information such as logons, PIN codes, passwords or other sensitive information.

 

How to avoid pharming?

Pharming that involves the use of virus (spyware, keyloggers) can be stopped by maintaining up-to-date antivirus, antispyware and firewalls on the computer. This will greatly reduce the possibility of a virus redirecting to a fake website.

 

Server-based pharming that employ domain spoofing, domain hijacking and domain cache poisoning (also called ‘domain cache pollution’) takes advantage of known vulnerability in Windows NT4 and Windows 2000 servers of which a patch is available from Microsoft website. However, Windows 2003 servers are safe from this vulnerability. On the Open Source front, there have been cases of Apache servers being compromised too.

 

Preventive Measures

Preventive measures for phishing that were already spelled out in Paragraph 7 of http://www.sgcert.org/032005%20Phishing%20Advisory.html should be followed to reduce the incident of pharming.

 

A list of popular financial sites that use a secure login page for logins is maintained at http://www.pharming.org. Contained therein also a list of financial sites that use unsecured login page.

 

 

 

 

Reference and Sources:

1) Sgcert Advisory on Phishing can be read at http://www.sgcert.org/032005%20Phishing%20Advisory.html

2) http://en.wikipedia.org/wiki/Pharming

3) http://www.pharming.org

4) http://www.usnetizen.com/articles/pharming.html