[Paleopsych] CSM: New twist on 'phishing' scam - 'pharming'

Premise Checker checker at panix.com
Sat Jul 30 15:25:45 UTC 2005

New twist on 'phishing' scam - 'pharming'
[Thanks to Laird for this.]
                       from the May 05, 2005 edition -

    By [2]Gregory M. Lamb | Staff writer of The Christian Science Monitor

       "The pharmers are coming! The pharmers are coming!" Hang warning
       lanterns all over the Internet: It's under attack by a new scam.

    For two years users have been hearing about "phishing," the sending of
     bogus e-mails - allegedly from a bank or other online business - by
    criminals who hope to hook the unwary. Those who bite by clicking on a
            hyperlink in the e-mail are shipped off to a phony but
    authentic-looking website and asked to enter sensitive information. If
      they type in their passwords or account numbers, thieves have that

     Now phishers have been joined by "pharmers," who have made the ruse
      more sophisticated by planting a seed of malicious software in the
    user's own computer - or poisoning servers that direct traffic on the
      Internet. The result: Even if you type in the correct address of a
              website, the software can send you to a bogus one.

     "It's a rapidly growing threat, and one we've been seeing a lot more
     discussion about" among Internet security experts and people in the
       banking industry, says Lance Cottrell, founder and president of
     Anonymizer Inc. in San Diego, an Internet privacy and security firm.
    Phishing attacks "rely on some gullibility of and participation by the
    victims," Mr. Cottrell says, since they must be persuaded to click on
       a link within the e-mail. But not clicking on such links "is no
                    protection against a pharming attack."

    Here's how the scam works. The thieves rely on the fact that the word
     address you use, such as www.my-bank.com, is connected to a distinct
    numerical address. Just like a phone number, it routes your browser to
    the right website. Pharming replaces the number with a fraudulent one,
           sending you to a criminal site instead of the real one.

     Besides keeping antivirus and antispyware programming up to date on
        their PC, users have few other ways to defend themselves from

     But any website that is conducting financial transactions should be
    able to maintain a secure website, Internet security experts say. The
    corner of the browser should display a padlock symbol, and the address
       in the address bar should begin with "https," not simply "http."
                            Are you being scammed?

    To determine if you're at the real site, click on the lock symbol and
      make sure it displays the address you are expecting to be at, says
       Mikko Hyppönen, chief research officer of F-Secure, an Internet
                    security company in Helsinki, Finland.

      But another kind of pharming, sometimes called "domain spoofing,"
      "domain poisoning," or "cache poisoning," attacks the servers that
    route traffic around the Internet. These so-called domain name system
     (DNS) servers also link the word address to its underlying numerical

      To corrupt a DNS "takes significantly more expertise, more access"
       than attacking PCs, says Peter Cassidy, secretary-general of the
     Anti-Phishing Working Group, which has offices in Cambridge, Mass.,
     and Menlo Park, Calif. That's why thieves first will try to get into
                            individual computers.

     "They're the low-hanging fruit," he says. But "they'll try anything
    that works." Some servers are hard to crack, he says, but others don't
                       keep their defenses up-to-date.

    Unlike the traditional landline telephone system, which was built from
    the outset to be a commercial enterprise, the Internet was designed to
    make sharing of information between scholars and researchers fast and
                 easy, not for secure financial transactions.

    "It was built in a laboratory by guys who knew each other and married
     each other's sisters," Mr. Cassidy says. Now new layers of security
        continually must be added, as criminals probe for weak points.
                               Spreading fraud

        The Anti-Phishing Working Group reports that the number of new
    phishing messages rose by an average 38 percent per month in the last
                             six months of 2004.

      And pharming was one of the top five Internet scams in March 2005,
      says a recent report from the National Cyber-Forensics & Training
        Alliance, a nonprofit arm of the Direct Marketing Association.
    Internet fraud in general, which includes phishing and pharming, cost
       merchants $2.6 billion in 2004, $700 million more than in 2003,
      according to CyberSource Corp., which processes Internet financial

     While Cassidy has seen some disturbing pharming attack reports from
     Britain, "we haven't seen it taking over the universe," he says. "We
      have seen significant attacks, but not rapid proliferation, partly
                because it does take a little more expertise."

      One pharming technique is to flood the DNS server with messages to
    trick it into saving false information that will send users to a phony
      website, Cottrell says. "Then in many cases [the criminals] try to
     bounce you back to the real bank's website, so that you're not aware
                         that anything has happened."

     Phishers and pharmers set up their fake websites for only a few days
       or even a few hours, then move on before they can be found out.

    Cottrell's company, Anonymizer, runs all its clients' Internet traffic
    through its own secure DNS servers, which he says can protect clients
                                from pharming.
                               Keyboard trouble

     But even if crooks can't get at your PC or the DNS server, they can
                    always hope that you just can't spell.

    Early last week, F-Secure discovered that a malicious website had been
      set up at www.googkle.com, just one keystroke away from the famous
    [3]www.google.com site. Users who accidentally went to the site using
    the popular Internet Explorer browser immediately were inundated with
     spyware, adware, and other malicious software that tried to secretly
                         load itself onto their PCs.

     By the end of last week, the site had disappeared. But Mr. Hyppönen
      still warns people not to try to visit it out of curiosity. "These
                   things sometimes pop up again," he says.

    The technique isn't new. Similar attack sites have been created just a
       slip of the finger away from sites such as CNN.com, AOL.com, and
                           MSN.com, Hyppönen says.

    The people behind the malicious sites can be anywhere from South Korea
     to Brazil to Russia. The PC operating the site could be "somebody's
     grandmother's computer in Canada" being remotely controlled without
                           her knowledge, he adds.
                               Gone 'phishing'

     "Phishing" means sending out official-looking e-mails to tempt users
    to visit a bogus website and type in personal or financial data. Here
                     are key points from a March report:

     o Since July 2004, the number of websites linked to the scam rose an
                         average 28 percent a month.

     o The United States hosted a third of the phishing sites - more than
     any other nation - followed by China (12 percent) and South Korea (9

        o Financial services are the most frequent target, with 4 of 5
      phishers appropriating the brand of a bank or some other financial

    o Such sites only last an average 5.8 days before they're taken down.

     o A new version of the scam - "pharming" - plants malicious software
                    on PCs to direct users to bogus sites.

                     Source: Anti-Phishing Working Group

More information about the paleopsych mailing list