Phishing, Now Pharming: Fraudsters Trying to Harvest Online Identities?
COLUMBIA, S.C. - First phishing. Now pharming. While phishing depends on luring unsuspecting users one-by-one to fake online banking or other e-commerce sites where the fraudster hopes they'll enter their real ID and passwords, pharming aims to harvest victims en masse by invisibly directing them there. The first stirrings of such attempts have already been felt, primarily in Great Britain, according to scattered reports. The term itself also is new, but the techniques used to pull it off are not, according to David Jevans, chair of the Anti-Phishing Working Group (www.antiphishing.org), a coalition of more than 500 financial services providers, law enforcement agencies, Internet service providers and other technology vendors. "Pharming uses DNS cache poisoning, which has been around since 1999. The difference now is that there's a reason to do it," says Jevans, senior vice president of business development at Teros Inc., a California-based provider of application security devices. "How many real identity thieves were there around in 1999? Not very many," Jevans says. "Now there's an entire criminal supply chain where you can buy identities." DNS cache poisoning has a simple definition: DNS stands for domain name system, the system by which numbers become working Internet address, as it were. Cache simply means a holding area of data. And poisoning it means injecting false information so that requests are diverted from their intended destinations. The way that's done is through a kind of malware typically called Trojan horses, malicious executable code that rewrites the host file on the end user's PC and sends the user to the spoof site, in this case, even if the user uses the old tried-and-true method of punching in the site name instead of clicking on a hot link. And that helps make it even more pernicious than phishing, says Kelly Dowell, director of the Credit Union Information Security Professionals Association. "There's no real need to trick the user once that Trojan is in the system," Dowell says. "It just sits there dormant on your machine until you actually go through the normal routine of logging on to a banking site." Dowell also says that pharming is the next evolution of cyberattacks, evolving as phishing becomes less effective over time as consumers become more educated about how to avoid taking the bait. The same process, only on the technology side, remains the best defense against pharming, says another industry participant, David Meunier, chief information security officer at CUNA Mutual in Madison, Wis., who has some words of advice for credit unions. "I'm not sure yet if pharming will get as big as phishing. For one thing, it's technically more difficult than phishing. Others think it will be that big or bigger, but pharming is still fairly new and I'm on the fence about that," Meunier says. He adds: "But one thing to be aware of is that if it does work, it can affect a lot more people a lot more quickly than phishing. "So our approach is, when you see it, make people aware of it. My first piece of this is to educate. Here it is. Start talking to your infrastructure teams about it. Keep doing the smart, basic things. Patch correctly, use the latest and greatest DNS protections . there are those sorts of things we can do at a minimum in the interim." That's until the defensive technology catches up, says Dowell at Texas-based CUISPA (www.cuispa.org). "Eventually it will," he says, "and there already is technology out there to address phishing which can also address pharming if done right. And education itself is extremely powerful. That means both educating the members and ourselves as a community of credit unions. "If we don't want to go back to brick and mortar, we have to be able to make members believe that the online channel is safe. Credit unions are not immune from this." Meunier at CUNA Mutual would agree. "There's no `security by obscurity' for credit unions like there was," he says. "Crackers are just looking for vulnerabilities. If they find one, boom, you're stuck. So it really comes down to making sure you're doing the right things on your system. Hardening it, using the latest and greatest patches, making sure your audit controls are in place." Dowell and Meunier also both pointed to the need for stronger two-factor authentications. Meanwhile, the far-flung APWG also is keeping its eye on pharming. "We're doing a number of things," says Jevans, the coalition's chair. "That includes trying to get a clear definition of it while dampening the hysteria. It's an important issue but there's no reason to jump up and down about it yet. The reports of it happening are few and far between. "We're also working with network operators and DNS providers to understand the vulnerabilities, to see if we need to do something like implement the next generation of secure DNS. That discussion is going on," he says "But bottom line: We're still trying to understand the problem. I think to some extent, other than the very real malware stuff, some of this may be hypothetical. "And we didn't come up with the term `pharming.' (e-mail security specialist) MX Level just did. We view it as just another form of phishing and crime, but people are using the term now and you've got to go with the flow." -