Phishing and Pharming Attacks

Phishing and Pharming AttacksIn this report, it provides every flummoxview more or less phishing and pharming bid what is phishing, what is pharming, what ar the impacts that ca apply by phishing and pharming and what are the solutions crowd out be apply to remediate or minimize the chance of being attack by phishing and pharming.Phishing are meshwork rigs or identity thefts that occasion to acquire or steal tar captureed victims naked info standardized individual(prenominal) identity data or financial account credentials. Phishing can be carried out by attackers using social engineering like sending email, through instant messaging (IM), peer to peer (P2P) networks, search engine and other techniques to re direct exercisers to fraudulent weavesite.Pharming is the new twist of internet fraud or identity theft. It is the evolutionary of phishing that utilise to achieve the same goal, but pharming is more sophisticated. Pharming can be check out by using skilful sub terfuge such as DNS cache poisoning, worldly concern hijacking and other techniques to redirect users to fraudulent sacksite or proxy force to solicit users sensitive own(prenominal) information.Phishing and pharming attack will cause financial impacts on the targeted victims or hard-hit to small organization. It will besides cause the undermining of consumers confident in using internet over guarantee transaction or communication. Beside from this, phishing and pharming will also cause the law investigating sustain harder.Table of ContentSummary2Table of Content-3Table of Tables and Figures4Introduction-5Method of Phishing Attack-62.1. radio splice Manipulation62.2 Filter Evasion72.3 Website Forgery72.4 Ph champion Phishing-82.5 Example of Phishing92.6 Phishing Report-10Method of Pharming Attack13How Pharming Works13DNS cache poisoning16Domain Hijacking16Registration of sympathetic sounding macrocosms17Impact caused by phishing / pharming18Prevention of phishing and ph arming20Prevention What to do?20Prevention What non to do?-21Classic phishing defenses 21Client-side21Server-side22Enterprise-22Additional Pharming-Specific defenses23Change Management, Monitoring and Alerting-23Third-party military Resolution Verification Services-24DNS Server Patching, Updating and Configuration25 face engine Control-26Conclusion-27Recommendation29Reference30Bibliography31Appendix32Template 1.032Template 2.034TABLE OF TABLES AND FIGURESFigure 1-9Figure 210Figure 311Figure 412Figure 514INTRODUCTIONPhishing and Pharming are two of the most organized crimes of the 21st nose candy requiring very little skill on the part of the fraudster. These result in identity theft and financial fraud when the fraudster tricks the online users into giving their confidential information like Passwords, Social Security Numbers, Credit Card Numbers, CVV Numbers, and personal information such as birthdates and mothers maiden names etc. This information is then either used by frauds ters for their own needs such as impersonate the victim to transfer funds from the victims account, purchase merchandise etc., or is sold in a variety of online brokering forums and chat channels for a profit.The Anti-Phishing Working Group (APWG) study indicates that 26,877 phishing attacks were reported in October 2006, a 21 percent increase over Septembers 22,136 attacks and an increase of 70% as compared to October 2005. Through these attacks the fraudsters hijacked 176 brands resulting in huge financial losses and loss of reputation to enterprises. The Gartner study reported that more than 2 million Americans moderate had their checking accounts raided by criminals in 2004, the average loss per incident being $1,2002.With phishers developing evermore sophisticated attacks, these numbers are bound to increase in the get along in store(predicate). Hence, battling these attacks has become a high priority for Governments and Industry Groups.METHOD OF PHISHING ATTACKLink Manipul ationMost methods of phishing use some form of technical conjury designed to make a link in an netmail (and the spoofed weavesite it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of sub domains are common tricks used by phishers, such as this example URL, http//www.your brink.example.com/. Another common trick is to make the anchor text for a link appear to be valid, when the link very goes to the phishers site, such as http//en.wikipedia.org/wiki/Genuine.An old method of spoofing used links containing the symbol, originally in laddered as a way to include a username and password (contrary to the standard). For example, the link http//emailprotected/ might deceive a casual observer into believing that it will open a knave on www.google.com, whereas it actually directs the browser to a page on members.tripod.com, using a username of www.google.com the page opens normally, regardless of the username supplied. Such URLs were disabled in Intern et Explorer, while Mozilla and Opera present a warning meaning and give the option of continuing to the site or cancelling.A further problem with URLs has been found in the handling of Internationalized Domain Names (IDN) in web browsers, that might allow visually identical web call ines to lead to different, possibly vicious, websites. Despite the publicity surrounding the flaw, known as IDN spoofing or a homograph attack, no known phishing attacks involve yet taken advantage of it.citation needed Phishers have taken advantage of a similar risk, using open URL redirectors on the websites of certain(p) organizations to disguise malicious URLs with a trusted domain.Filter EvasionPhishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails.2.3 Website ForgeryOnce the victim visits the website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is don e either by placing a picture of a true URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL.An attacker can even use flaws in a trusted websites own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their rely or services own web page, where everything from the web address to the credential certificates appears correct. In reality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.A Universal Man-in-the-middle Phishing Kit, discovered by RSA Security, provides a simple-to-use interface that allows a phisher to convincingly reproduce websites and capture log-in details entered at the fake site.To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have begun to use Flash-based websites. These figure much like the real website, but hide the text in a multimedia object.2.4 Phone PhishingNot all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a verbalize over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.EXAMPLE OF PHISHINGAs scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.The following is an example of what a phishing scam e-mail message might look like.Figure 1Example of a phishing e-mail message, which includes a decepti ve URL address that links to a scam Web site.To make these phishing e-mail messages look even more legitimate, the scam artists may behind a link in them that appears to go to the legitimate Web site, but it actually takes you to a phony scam site or possibly a pop-up window that looks exactly like the official site.These deportcat sites are also called spoofed Web sites. Once youre at one of these spoofed sites, you might unwittingly send personal information to the con artists.PHISHING REPORTFigure 2The number of websites multitudeing signalize logging crime ware systems raise by over 1,100, reaching 3,362, the stand by highest number recorded in the preceding 12 months.Web sense Security Labs believes much of this increase is due to attackers increasing ability to co-opt sites to break up crime ware using automated tools.Figure 3The number of unique key logger crime ware variants detected in January reached a new high of 364, an increase of 1.4% from the previous high in O ctober, 2007.Figure 4Anti-Phishing Working Group, Phishing Activity Trends Report, June 2005Phishing undermines consumer confidence. Corporate websites of valid, well-respected companies are being cloned to sell vanished products, or to get consumers to participate in money-laundering activities while believing that they are dealing with a legitimate organization. The public relations consequences for the company that has had its website cloned can be as severe as the financial losses.3.0 METHOD OF PHARMING ATTACKYou must be well aware of phishing and its potential to cause damage. They bait bank customers with true(a) looking emails and manage to usurp money or personal information from unsuspecting customers with reasonable success. You are also aware that responding to mails sent by your bank may not be a good idea because banks never require to send emails to get your credentials. They have more secure channels to get that information.However, pharming attacks do not require a n attacker to send mails. By carrying out pharming attacks, a criminal can get admission price to a wider target than phishing emails and as quickly as possible. Hence the ph effect on the word farming. They are not fishing, they are farming for gullible people By the way, pharming is a real dictionary word.HOW PHARMING WORKSPharming attacks do not take advantage of any new technique. They use the well known DNS cache poisoning, domain spoofing and domain hijacking techniques that have been around for quite long. However, the motives of carrying out these attacks have changed.Earlier they were interested in just disrupting services and causing nuisance. But now, the game has become a matter of money than that of chest thumping. These techniques continue to exist because administrators and website owners dont care to secure and monitor their DNS servers while they have invested millions of dollars in application firewalls.How a common pharming attack is carried outFigure 51. The at tacker targets the DNS service used by the customer. This server can be a DNS server on the local area network or the DNS server hosted by an ISP for all users. The attacker, using various techniques, manages to change the IP address of www.nicebank.com to the IP address of a web server which contains a fake replica of nicebank.com.2. substance abuser wants to go the website www.nicebank.com and types the address in the web browser.3. Users figurer queries the DNS server for the IP address of www.nicebank.com.4. Since the DNS server has already been poisoned by the attacker, it returns the IP address of the fake website to the users computer.The users computer is tricked into thinking that the poisoned reply is the correct IP address of the website. The user has now been fooled into visiting fake website controlled by the attacker quite a than the original www.nicebank.com website.Once the attacker has managed to get the user to visit the fake website, there are many ways in which the user can be tricked into revealing his / her credentials or giving out personal information. The beauty, or lets say, the notoriety of pharming over phishing is evident from the fact that one successful attempt in poisoning the DNS server can be potentially used to trick all the users of that DNS service. Much less effort and wider impact than phishing.DNS cache poisoning every last(predicate) DNS servers cache the queries that users have made for a certain period of time. This is done to speed up the responses to users for frequently used domains. This cache maintained by the DNS server can be poisoned by using malicious responses or taking advantage of vulnerabilities in the DNS software itself.Domain HijackingThis is an actual incident that took place a year ago. Panix, an ISP based in New York was the target of a domain hijack attack. All domains are typically registered with registrars which store information about the owner of a domain and location of the domains DNS serv ers. If any of this information is required to be changed, the approval of the domain owner is required. A domain owner can even switch registrars depending on costs and convenience. However, confirmation of the switch is required from all three parties, the domain owner, the old registrar and the new registrar.In grammatical case of Panix, a change was initiated by an unknown person in Australia. The person managed to skip confirmation from the old registrar and the domain owner. This was because the new registrar was not following the domain transfer process strictly. The result was, the unknown person managed to gain control over the panix.com domain completely. The person managed to divert all the web traffic of panix.com and customer emails to another server located in Canada.Domain hijacking has the widest impact because the attacker targets the domain registration information itself.Registration of similar sounding domainsSimilar sounding or similar looking domains are anoth er source of security issues for internet users. An attacker can register a domain www.n1cebank.com and carry out pharming and phishing attacks on unsuspecting customers who dont notice the difference in the letter i being replaced by a 1.Also domain names created by misprints on the original words (e.g. www.nicebqnk.com) manage to attract a lot of traffic. One such study on a prevalent domain cartoonnetwork.com shows that one in four people visiting the website incorrectly type a simple name like cartoonnetwork.com. So what about typo domains? One quick search in Google reveals that it is quite a big concern. An attacker can easily buy typo domains and setup his fake website on these domains to fool unsuspecting visitors.IMPACT CAUSED BY PHISHING AND PHARMINGThere are impacts that caused by rising of phishing and pharming. One of the impacts that caused by phishing and pharming is the lost of financial on both organizations and consumers. tally to the InternetNews.com, there are about $1.2 Billion lost in financial of banks and credit card issuers at year 2003, while at year 2004, there is about 12 Million lost in financial reported by the Association of Payment Clearing Services in United Kingdom. receivable to the credit card association policies, the online merchants that accepted and approved transactions made by using credit card numbers which solicit through internet fraud may need to liable for the full amount of those transactions. This may cause hard-hit to those small organizations.Another impact that caused by phishing and pharming is the undermining of the consumers trust in the secured internet transaction or communication. This situation occurred because the internet fraud like phishing and pharming made consumer feel uncertain about the integrity of the financial and commercial websites although the web address display in the address is correct.Phishing and pharming also caused some impact on the Law investigation. It makes the law investigat ion become harder because the technique that used by attackers to come phishing and pharming is more sophisticated. In nowadays, those attackers can perform all of the phishing and pharming attack at a location that provided with the internet connection. With the available of internet connection, they can make use of it to perform attacking activities. Those activities included the control of a computer located in one place to perform phishing and pharmings attack by using computer located at another place. The investigation become harder also because of the division of attacking t supplicates to several people located in different locations.PREVENTION OF PHISHING AND PHARMINGPharming attacks tend to be harder to defend against that traditional Phishing attacks due to the distributed nature of the attack focus and the use of resources not under the control of the victim organisation. In addition, the manipulation of the DNS contract process occurs at such a fundamental level that there are very few methods available to reliably detect any malicious changes.5.1 PREVENTION WHAT TO DO?By using anti-virus software, spyware filters, e-mail filters and firewall programs and make sure that they are regular updated to protect your computer.Ensures that your Internet browser is up to date and security patches employ.Be suspicious of any e-mail with urgent requests for personal financial information or threats of terminal figureination of online account.Dont rely on links contained in e-mails, even if the web address appears to be correct, and use only channels that you know from independent sources are reliable (e.g., information on your bank card, hard copy correspondence, or montly account statement) when contacting your financial institution.When submitting credit card or other sensitive information via your Web browser, always ensure that youre using a secure website.Regularly log into your accounts.Regularly check your bank, credit and debit card statements to ensure that all transaction are legitimate.PREVENTION WHAT NOT TO DO?Dont assume that you can correctly identify a website as legitimate just by looking at its general appearance.Dont use the link in an e-mail to get to any web page, if you suspect the message might not be authentic.Avoid filling out forms in an e-mail messages or pop-up windows that ask for personal financial information.CLASSIC PHISHING DEFENCESMany of the defences used to thwart phishing attacks can be used to help prevent or limit the scope of future Pharming attacks. While readers are referred to the detailed coverage of these defence tactics explained in The Phishing Guide, a brief summary of these key defences is as followsClient-SideDesktop protection technologies purpose of appropriate, less sophisticated, communication settingsUser application-level monitoring solutionsLocking-down browser capabilitiesDigital signing and validation of emailGeneral security sense5.3.2 Server-SideImproving customer awar enessProviding validation information for official communicationsEnsuring that the Internet web application is securely developed and doesnt include easily exploitable attack vectorsUsing strong token-based credential systemsKeeping naming systems simple and understandable5.3.3 EnterpriseAutomatic validation of sending email server addresses,Digital signing of email services,Monitoring of collective domains and notification of similar registrations,Perimeter or gateway protection agents,Third-party managed services.ADDITIONAL PHARMING-SPECIFIC DEFENCESWhile Phishing attacks typically use email as the attack delivery platform, Pharming attacks do not require any email obfuscation attacks to succeed therefore Phishing defences that rely upon email security play a lesser role. The defences that will be most successful in preventing Pharming attacks focus upon the following areasChange management, monitoring and alertingThird-party host resolution verificationDNS server patching, upd ating and form attempt engine control5.4.1 Change Management, Monitoring, and AlertingThe potential for an administrator or other authoritative employee to maliciously modify DNS resolution information without detection is great. As financial incentives increase, organisations and ISPs will need to ensure that adequate change control, monitoring and alerting mechanisms are in place and enforced.It is recommended thatWherever editing is possible, access to DNS configuration files and caching data is limited to approved employees only.A change management process is used to log and monitor all changes to DNS configuration information.Auditing of DNS record changes is instigated by a team external to any DNS administrative personnel with automatic alerting of changes conducted in real time.Regular audits and comparative analysis of secondary DNS and caching servers should be conducted.Third-party Host Resolution Verification ServicesToolbarsMany third-party developed plug-in toolbars o riginally designed to detectPhishing attacks are deceived by Pharming attacks. Typically, these Phishing toolbars show the IP address and reverse hunting information for the host that the browser has connected to, so that customer can clearly see if he has reached a fake site. Some managed toolbars (normally available through a subscription service) also compare the host name or URL of the current site to an updatable list (or real-time querying) of known phishing sites.Some toolbars now tornado limited anti-pharming protection by maintaining a stored list of previously validated good IP addresses associated with a particular web address or host name. Should the customer connect to an IP address not previously associated with the host name, a warning is raised. However, problems can occur with organisations that change the IP addresses of their online services, or have large numbers of IP addresses associated with a particular host name.In addition, some toolbars provide IP addres s allocation information such as clearly stating the geographic region associated with a particular netblock. This is useful for identifying possible fake Pharming sites that have been setup in Poland pretending to be for an Australian bank for instance.Server CertificatesTo help prevent pharming attacks, an additional layer can be added to the authentication process, such as getting the server to prove it is what it says it is. This can be achieved through the use of server certificates.Most web browsers have the ability to read and validate server identification certificates. The process would require the server host (or organisation) obtain a certificate from a trusted certificate authority, such as Verisign, and present it to the customers browser upon connection for validation.5.4.3 DNS Server Patching, Updating and ConfigurationAs with any Internet-based host, it is vial that all accessible services be configured in a secure manner and that all current security updates or patc hes be applied. Failure to do so is likely to result in an exploitation of any security weaknesses, resulting in a loss of data integrity. presumptuousness the number of possible attacks that can be achieved by an attacker whom manages to compromise an organisations DNS servers, these hosts are frequently targeted by attackers. Therefore it is vital that security patches and updates be applied as quickly as possible typically organisations should aim to apply fixes within hours of release.Similarly, it is important that organisations use up to date versions of the service wherever possible. As we have already discussed in section 3.6, each new version of the DNS software usually contains substantial changes to protect against the latest attack vectors (e.g. randomising DNS IDs, randomising port numbers, etc.)5.4.4 Search Engine ControlInternet search engines are undergoing constant development. Many of the methods used by attackers to increase their page ranking statistics are know n of by the search engine developers, and a constant cycle of detection and refinement can be observed by both parties. For instance, Google modified its search algorithm to reset the page rank statistics of web sites that had recently changed ownership this was to reduce the impact of instant backlinks and the weighting they attach to a ranking.Traditionally the emphasis on increasing a pages ranking has been for revenue or lead generation most closely associated with advertising. However, the increasing pace at which customers are relying upon search engines to access key services (such as online banking) means that a Pharmer who can get his fake site ranked at the top is likely to acquire a high number of victims.Organisations should ensure that they regularly review keyword associations with their online services. Ideally automated processes should be developed to constantly monitor all the popular search engines for key search words or phrases customers are likely to use to locate their key services. It is also important that region-specific search engines also be monitored.CONCLUSIONThe term phishing is about the use of social engineering by performing online imitation of brands to send spoof email that contain of hyperlink to fraudulent website to solicit users sensitive personal information like credit card number, PIN, mothers maiden name and etc. Phishing can also be done through installing keylogger at users computer.Pharming use technical subterfuge like DNS cache poisoning, domain hijacking, routers setting or firmware malconfiguration to redirect users to a fraudulent website. Pharming may also perform by sending the targeted victims an email that contained of viruses or Trojan horse that will install small application that will redirect user to fraudulent website.There are impacts that caused by both phishing and pharming. Those impacts included the lost of financial, undermining of user confident in secured online transaction or communicatio n, hard hit to small organizations and cause the law investigation harder.As a web developer, SSL certificate, switching of the recursion queries or DNS security extension should be apply because it can protect the DNS or website from phishing and pharming attack. Visual clues can also be use so that user can easily differentiate between authentic website and fraudulent website. Token based authentication also one of the technique that can be apply to protect the website or DNS server from phishing and pharming attack.Users are also responsible to protect their self from phishing and pharming attack by not opening email or download attachment from unknown sender or email that required user to respond by clicking on the hyperlink contained in the email. User should also double confirm the URL at the address bar when a warning message like SSL certificate do not match with the sites appear. User can also install security entourage or firewall in the computer in order to protect user f rom phishing and pharming. User can also look for the lock or key icon at the bottom of the browser that lock the site they want to enter their sensitive personal information.As a user, we can also report the attack of phishing and pharming to the related agencies or company through internet or telephone to avail the work of minimize the attack. In addition, laws are also being introduced to against phisher and pharmer.RECOMMENDATIONTo prevent from becoming the victims of phishing and pharming, I suggest to users that must install security suite or firewall in their computer and the detection signature of the security suite should be up to date. Besides from this, I also suggest that users should beware in opening any email or attachment that they receive in order to prevent their self from becoming the victims of phishing and pharming.I also suggest to web developers that they should use SSL certificate, switch off the recursion queries, install DNS security extension in protect