March 20, 2005
Attacks over identity theft made even easier
Thanks to Watchdog and News Websites, most of us have become wise to Phishing attacks, so named because they cast the bait, via an (sometimes enticing) e-mail and if you bite, they attempt to lure personal information from you. This scam method has become fairly recognizable and usually arrives as a note from a bank asking you to click the provided length, and (re)enter your personal information. The fact that a bank wouldn't really need your mother's maiden name might tip you off to the idea that it might not be legitimate. More likely, though, you notice the misspellings in this (bogus) e-mail, or you're otherwise savvy to the identity theft scam and immediately delete these messages, unread. There is a new attack on the horizon, and it is getting more and more critical every day.
These new attacks have already been in use for months now; "Pharming" a supposed successor to the now familiar e-mail Phishing attacks. Gerhard Eschelbeck, CTO of Qualys, a vulnerability management company, told me recently that Pharming is simply a new name for a relatively old concept: domain name spoofing. Rather than spamming you with e-mail requests, Pharmers work quietly in the background, "poisoning" DNS servers by redirecting your Web request to some other website. Sometimes these new sites are bogus search engines to a fake copy of the site you wanted to visit in the first place. As far as your browser is concerned, a successful connection means you're connected to the right site. The danger here is that, just (like JPEGS, you no longer have to click) anything, to hand over private information to identity thieves.
Domain Naming Service/Servers
In order to better understand Pharming, you might need a little background on how the Domain Name System (DNS) works. DNS is a Distributed Internet Directory Service, mainly used to translate between Alphabetic, Domain Names and the associated numeric IP addresses, and direct email delivery. Most Internet Service Providers (ISP) rely on DNS to provide Internet Service to their customers. If DNS fails or is too slow, a given website may not be located in a timely manner, and email delivery could stall. Across the Internet, a multitude of Domain Name Servers quietly resolve the familiar addresses you type into your browsers address bar, into specific, Numeric Internet Addresses. These servers are basically large directories of common names such as Amazon, Google, and Microsoft, along with the IP-specific addresses that you (generally) do not see. For example, if you type www.whipnet.com, this request goes to your nearest DNS server, which then queries DNS for the registered IP address for the associated Web server. It's much more convenient than always remembering, and entering a string of numbers which does not always bring up a/the website.
In October, 2002, criminal hackers, “crackers” attempted a DOS attack directed at the 13, high-level, or root, DNS servers located throughout the world. Although 10 failed, and went offline, the Internet itself didn't fail. Why? Because the subservers that most people actually access when they type in a URL, or click a link, all have independent, 24-hour cache backups of popular addresses. In other words, there are more than enough DNS servers to keep new requests running smoothly, but there is still room for an occasional hiccup; depending on where you are in the world compared to where the host is, with which you are attempting a connection.
Phishing Hole Discovered in Internet Explorer
FTC Shuts Down Spyware Web Sites
Phishing Flaw in Alternate Browsers
Hackers, Beyond the Browser