Security Update: Phishing and Pharming
June 22, 2005
In Focus: Phishing and Pharming
by Mark Joseph Edwards, News Editor (mark at ntsecurity / net)
You've undoubtedly heard of "phishing," luring users (typically through email messages) to phony Web sites that imitate legitimate Web sites to try to trick users into divulging private information such as logon IDs, passwords, and account numbers. Phishing can lead to unauthorized monetary charges against your merchant accounts, unauthorized use of your services, and more.
Tools such as CoreStreet's SpoofStick (at first URL below) and the Netcraft Toolbar (at second URL below) can help in some cases. Both tools are add-ons for Microsoft Internet Explorer (IE) and Mozilla Firefox that try to determine and display the real domain of the site you're visiting.
Recently, hackers are combining phishing with DNS poisoning or DNS hijacking--also known as "pharming." In a pharming attack, the attacker changes DNS records of the servers at an ISP or at the company that's the target of the attack or modifies a client system's HOSTS file or DNS settings. Obviously, protecting against such attacks means devising some method of establishing trust in DNS query results. The two tools I mentioned above don't help much against pharming.
I know of three ways to help prevent pharming attacks. The first method is for a company to use a service, such as one recently announced by MarkMonitor, to monitor the company's DNS servers for unauthorized changes. When unauthorized changes are detected, MarkMonitor alerts the company so that it can begin working to correct the situation.
A second method, which is also new, is to use Next Generation Security's (NGSEC's) AntiPharming tool, which works at the client level (rather than the server level) to prevent unauthorized changes to a system's HOSTS file and local DNS settings. It also listens on the system's network interfaces to capture DNS query responses and then doublechecks those responses against "three secure DNS servers." The tool comes with three DNS servers preconfigured, and you can modify those server addresses as you see fit. The tool is available free for personal use and requires a fee for commercial use.
Another new solution, Identity Cues from Green Armor Solutions, works at the Web site level. The first time a user logs on to an Identity Cues-protected Web site, the product generates colored visual cues that will then appear each time the user logs on to the site. A spoofed Web site won't be able to generate the same cues, so a user sent to a spoofed site will immediately know that he or she isn't visiting the legitimate Web site. Identity Cues is definitely a novel concept.
All three approaches sound like good ideas and would go a long way towards thwarting phishing and pharming. I suspect that there are other ways to help prevent pharming, but at this point I'm unaware of any other solutions. If you know of any, please send me an email message that fills me in on the details.
This story originally appeared online at: http://www.windowsitpro.com/Article/ArticleID/46789/46789.html?Ad=1