RSS

What Is Pharming – DNS Poisoning

Pharming is a derivate from phishing. Both use “ph” instead of an “f” and are part of a computer slang. Pharming seeks to obtain personal or private information through domain spoofing. In phisihing you are being spammed with malicious deceiving e-mail requests for you to visit spoof Web sites which appear legitimate. Pharming on the other hand poisons a DNS server by infusing false information into the DNS server, resulting in a user’s request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing.

what is pharming - dns poisoning

Every internet request has to go through a DNS server, and malicious hackers realized a long time ago the profit potential in DNS poisoning. DNS (domain name system) translates web and e-mail addresses into numerical strings, acting as a sort of telephone directory for the internet. If you type examplesite.com the request goes through a DNS server which resolves the IP address assigned to that particular domain. If a DNS directory is poisoned, altered to contain false information regarding which web address is associated with what numeric string, then users can be silently shuttled to a bogus website even if they type in the correct URL. The hacker makes the false site look just like original, so that the user will trust the site and enter personal information, such as a password, into it. Hacker then exploits this information and uses it for his benefit and your loss. If the right domain can be hijacked or the right DNS record poisoned, hackers could make off with data that could be used to accomplish huge financial rip-offs.

When a DNS is poisoned and your computer accepts a false translation for examplesite.com then when you communicate with examplesite.com your packets will go to the hackers IP address, and not to the IP address of examplesite.com. If a pharming attack is successful, there is actually no information on your computer to indicate that anything is wrong. As far as your computer is concerned, everything is working fine, and you really are talking to examplesite.com. Some web privacy providers claim that customers who route all their Internet activity through their own secure servers are protected against pharming attacks. The nature of pharming suggests just the opposite, so regardless of a company’s claims, it’s always a good idea to research security products carefully. Read product reviews from reputable sources, such as CNET Reviews or use search engines.

PREVENTION TIPS

There does not seem to be a silver bullet for solving the problem of pharming for the entire Internet. While cracking a dns server is not easy, its not impossible and is done by expert hackers. The best approach would be to secure the DNS system. We know how to do this. Solutions involve having authoritative DNS servers put some kind of digital signature on the information they give out, so that a computer receiving DNS translation information can verify that the information is endorsed by an authoritative server. Such a system, if universally deployed, would put the pharmers out of business. Unfortunately, secure DNS is not widely deployed.

  • Pharming Conscious web sites that use forms to accept passwords or other sensitive information ensure that the page that contains the form itself is served using HTTPS! A partial solution, for web access at least, is to access websites via secure (HTTPS) connections. The user, on seeing a valid site, would notice the lock icon on his browser, and would know that his machine was connected to the legitimate owner of the URL that his browser was displaying. A pharmer could make accesses to “www.examplesite.com” go to his evil site, but he couldn’t fool the secure-connection mechanism, so he could not make the lock icon on the user’s browser light up.
  • If you visit an SSL-enabled website, look out for this warning message window. If you get it, doubly check if the website you are visiting gave this message in earlier instances. Check if the URL is the same that you intend to go to. This message window generally appears when the server SSL certificate is not matching with the website URL and if the certificate has expired. It could also mean it is not signed by a trusted root Certificate Authority.
    security alert
  • SpoofStick is a simple browser extension that helps users detect fake websites. This tool is free and installs itself into your browser. It’s available for firefox and internet explorer. For more information go to Spoofstick.

Bookmark and Share

Leave a Reply