Sunday, August 21, 2011

What is Pharming Attack? -DNS Poisoning


I hope you know about Phishing attacks. In phishing attack, the user will be tricked to visit a fake page by sending scam emails.  If you clever to notice the url of the site, you will find the url is not original one.  So , it is possible for a user to detect the phishing attack by verifying the url. But hacker can bring the phishing attack to the next level with the pharming attack.

What is Pharming?
Pharming attack will redirect to the fake(phishing) page even though user enter the correct address. For Eg: facebook.com will show the fake page instead.The term pharming is a derived from farming and phishing. In recent years both pharming and phishing have been used for online identity theft information. Pharming has become of major concern to businesses hosting ecommerce and online banking websites
How does it works?
Method 1: DNS Poisoning: 

1. Attacker hacks into the DNS server and changes the IP address for www.targetsite.com to IP of www.targetsite1.com (Fake page).

2. So if the user enter the URL in address bar, the computer queries the DNS server for the IP address of www.targetsite.com. 

3. Since the DNS server has already been poisoned by the attacker, it returns the IP address of www.targetsite1.com(fake page).

4. The user will believe it is original website but it is phishing page. 

Method 2: HOSTS file Modification:
This method is local DNS poisoning. 
What is host file?
     The host file contains Domain Name and IP address associated with them.  Your host file will be in this path:
 C:\Windows\System32\drivers\etc\
It will change the fields of hosts so that original website will point to some other fake page.  Please read this article to know more about this method: Use original Domain for phishing using hosts file

Other types of pharming attacks involve Trojan horses, worms or other technologies that attack the browser address bar, thus redirecting you to a fraudulent website when you type in a legitimate address.

Instances of Pharming:
In January 2005, the domain name for a large New York ISP, Panix, was hijacked to point to a site in Australia. No financial losses are known.

In January 2008, Symantec reported a drive-by pharming incident directed against a Mexican bank in which the DNS settings on a customer's home router were changed after receipt of an e-mail that appeared to be from a legitimate Spanish-language greeting card company

In a poisoning attack in early March 2010, requests from more than 900 unique Internet addresses and more than 75,000 e-mail messages were redirected, according to log data obtained from compromised Web servers that were used in the attacks, says PC Mag.

Prevention over Pharming:
  • Use some Anti Phishing Addons for Mozilla to detect phishing webpages.
  • Use spoostick Addon that will detect the fake pages
  • Use Internet Security Software(kaspersky, BullGuard Internet Security)


Share This Article on Twitter/Facebook/Blog/Forum or Anywhere:


New Post Older Post Home
 

© Break The Security. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com