Friday, May 06, 2005

Pharming

CSM reports For two years users have been hearing about "phishing," the sending of bogus e-mails - allegedly from a bank or other online business - by criminals who hope to hook the unwary. Those who bite by clicking on a hyperlink in the e-mail are shipped off to a phony but authentic-looking website and asked to enter sensitive information. If they type in their passwords or account numbers, thieves have that data.

Now phishers have been joined by "pharmers," who have made the ruse more sophisticated by planting a seed of malicious software in the user's own computer - or poisoning servers that direct traffic on the Internet. The result: Even if you type in the correct address of a website, the software can send you to a bogus one....

Phishing attacks "rely on some gullibility of and participation by the victims," Mr. Cottrell says, since they must be persuaded to click on a link within the e-mail. But not clicking on such links "is no protection against a pharming attack."

Here's how the scam works. The thieves rely on the fact that the word address you use, such as www.my-bank.com, is connected to a distinct numerical address, like a browser to the right website. Pharming replaces the number with a fraudulent one, sending you to a criminal site instead of the real one.

Besides keeping antivirus and antispyware programming up to date on their PC, users have few other ways to defend themselves from pharming.

But any website that is conducting financial transactions should be able to maintain a secure website, Internet security experts say. The corner of the browser should display a padlock symbol, and the address in the address bar should begin with "https," not simply "http."...

But another kind of pharming, sometimes called "domain spoofing," "domain poisoning," or "cache poisoning," attacks the servers that route traffic around the Internet. These so-called domain name system (DNS) servers also link the word address to its underlying numerical address.

To corrupt a DNS "takes significantly more expertise, more access" than attacking PCs, says Peter Cassidy, secretary-general of the Anti-Phishing Working Group, which has offices in Cambridge, Mass., and Menlo Park, Calif. That's why thieves first will try to get into individual computers.


Be careful

No comments: