Computer Crime Research Center


Pharming -- a new technique for Internet fraud

Date: March 07, 2005
Source: eChannelLine Canada
By: Fernando de la Cuadra

Hackers appear to have an increasing interest in reaping financial reward from their actions and creations. If, until now, phishing -- using e-mails to lure users into entering data into spoofed online banking Web sites -- was one of the most widespread fraud techniques, 'pharming' now poses an even greater threat.

Basically, pharming involves interfering with the name resolution process on the Internet. When a user enters an address (such as this needs to be converted into a numeric IP address as This is known as name resolution, and the task is performed by DNS (Domain Name System) servers. These servers store tables with the IP address of each domain name. On a smaller scale, in each computer connected to the Internet there is a file that stores a table with the names of servers and IP addresses so that it is not necessary to access the DNS servers for certain server names.

Pharming consists in the name resolution system modification, so that when a user thinks he or she is accessing to bank's Web page, he or she is actually accessing the IP of a spoofed site.

Phishing owed its success to social engineering techniques, but since not all users take the phishing bait, its success was limited. Also, each phishing attack was aimed at one specific type of banking service, further reducing the chances of success. Pharming on the other hand, can affect a far greater number of online banking users.

In addition, pharming isn't just a one-off attack, as is the case with phishing e-mails, but remains present on the computer waiting for the user to access the banking services.

The solution against this new kind of fraud lies, as ever, in anti-virus security solutions. Pharming attacks depend on an application in the compromised system (this could be an exe file, a script, etc). But before this application can run, obviously it needs to reach the operating system. Code can enter the system through numerous channels; in fact, in as many ways as information can enter the system: via e-mail (the most frequent), Internet downloads, copied directly from CD or floppy, etc. In each of these information entry points, the anti-virus has to detect the file with the malicious code and eliminate it, provided it is registered as a dangerous application in the anti- virus signature file.

Unfortunately, the propagation speed of malware today is head-spinning, and there are more malicious creators offering their source code to the rest of the hacker community to create new variants and propagate even more attacks. The virus laboratories don't have enough time to prepare the malware detection and elimination routines for new malicious code before they start spreading to PCs. Despite the efforts and improvements from virus labs, it is physically impossible for them to prepare an adequate solution in time against some of these threats that can spread in just a few minutes.

The solution against these kinds of threats should not, therefore, depend, at least not in the front line of protection, on a reactive solution based on viral identifier files but rather systems that detect the actions that theses threats carry out. In this way, every time there is an attempted attack on the computer's DNS system (as in the case of pharming applications), the attack is recognized and blocked along with the program carrying out the attack.

However, there is an added danger with pharming, which lies in anonymous proxy servers. Many users want to hide their identity (their IP address) when using the Internet and use online proxy servers so that the connection is made under the server IP and not the client IP. In a worst case scenario, one of these proxy servers could have its name resolution system poisoned so that users trying to access their bank Web site, could actually be viewing a spoofed site, even though their local name resolution system is operating perfectly.

In any event, the threat that pharming poses is a serious one, although one that is easily resolved. Only with systems that can detect and block changes in IP address resolution systems in computers can we hope to prevent the avalanche of malicious code that will soon be upon us.

Fernando de la Cuadra is International Technical Editor at Panda SoftwwarePanda Software. He can be reached at [email protected]
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo