|
#REDIRECT [[Amorium]]
:''For pharming in [[genetics]] see: [[pharming (genetics)]].''
:''For pharming in drug abuse see: [[Pharming parties]].''
'''Pharming''' is [[Black hat|hacker]]'s attack aiming to redirect [[website]]'s traffic to another (bogus) [[website]]. '''Pharming''' can be conducted either by changing [[hosts file]] on a victim’s computer or by [[Exploit (computer security)|exploitation]] of a [[vulnerability]] in [[Domain name system |DNS server]] [[software]]. DNS servers are [[computer]]s responsible for resolving Internet names into their real [[IP address|addresses]] — the "signposts" of the [[Internet]]. Compromised [[Domain name system |DNS server]] sometimes referred as [[DNS cache poisoning|"poisoned"]]. The term '''pharming''' is a word play on farming and phishing. The term [[phishing]] refers to [[social engineering (computer security)|social engineering]] attack to obtain [[Authentication|access credentials]] such as [[Login|user names]] and [[password]]s. In recent years both '''pharming''' and [[phishing]] has been used to [[Online identity theft|steal identity]] information. '''Pharming''' become of major concern to businesses hosting [[ecommerce]] and [[online banking]] websites. Sophisticated measures known as [[anti-pharming]] are required to protect against this serious threat. [[Antivirus software]] and [[spyware removal software]] can not protect against '''pharming'''.
==Explanation of pharming==
Every host on the Internet has an [[IP Address]] (currently, the standard for these addresses is [[IPv4]] which specifies that addresses are 32 [[bit]]s, but [[IPv6]] is being deployed which uses many more bits to represent an address). These 32-bit addresses are usually represented textually as a 'dotted quad' - four numbers separated by '''.''' (dots), for example '192.168.2.214'. Each of the four numbers is between 0 and 255, representing 8 of the 32 bits of the address. Machines on the Internet identify each other by using their IP addresses, and every portion of data transmitting on the Internet ([[packet]]) is tagged with the IP addresses of the putative sender and intended recipient. It is roughly equivalent to a telephone number. But since it is difficult for humans to remember more than a few numbers, there are directories that map numbers to something easier for humans to remember. For telephone numbers there are telephone directories mapping names of people or businesses to numbers, and for IP addresses there is [[DNS]], the Domain Name System, mapping ___domain names (for example 'wikipedia.org') to IP addresses. The DNS server thus performs the service as the telephone book to return an IP address for any ___domain name submitted it.
Suppose a criminal wants to steal someone's account information. He sets up a fake website that duplicates in every aspect of the look and feel of a bank or other sensitive website. How can he induce victims to visit the website and divulge their sensitive information (such as [[password]]s, [[Personal identification number|PIN numbers]] or [[Bank account|account]] numbers)? Phishing is the most common tactic, but it can be defeated if the victim notices the web address doesn't match. But if the criminal hijacks the victim's DNS server, changing the IP address of the target website from its real IP address to the IP address of his fake website, the victim can enter the web address ([[URL]]) properly and be directed to the fake website. Note that this is only possible when the victim accesses the original site via [[HTTP]] but not [[HTTPS]] (that is, with no [[Secure Sockets Layer|SSL]] protection), or if the user ignores a warning about invalid [[Public key certificate|server certificate]]s.
== Pharming vulnerability at home ==
While malicious ___domain name resolution can result from compromises in the large numbers of trusted nodes that participate in a name lookup, the most vulnerable points of compromise are near the leaves of the internet. For instance, incorrect entries in a desktop computer's ''[[Hosts file]]'', which circumvents name lookup with its own local name to IP address mapping, is a popular target for malware. Once rewritten, a legitimate request for a sensitive website can direct the user to fraudulent copy. Desktops are often better targets for pharming because they receive poorer administration than most internet servers.
More worrysome than host file attacks is the compromise of a local network router<ref>mal-router</ref>. Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire LAN. Unlike host file rewrites, local router router compromise is difficult to detect. routers can pass bad DNS information in two ways: malconfiguration of existing settings or wholesale rewrite of [[embedded software]] (aka [[firmware]]). Nearly every router allows its administrator to specify a particular trusted DNS in place of the one suggested by an upstream
node (e.g., the ISP). An attacker could specify a DNS server under his control instead of a legitmate one. All subsequent resolutions will go
through the bad server.
Alternatively, many routers have the ability to replace their firmware (i.e. the internal software that executes the device'smore complex services). Like malware on desktop systems, a firmware replacement can be very difficult to detect. A stealthy implementation will appear to behave the same as the manufacturer's firmware; the administration page will look the same, settings will appear correct, etc. Pharming is only one of many attacks that malicious firmware can mount; others include eavesdropping, active [[man in the middle attack]]s, and traffic logging. Like malconfiguration, the entire LAN is subject to these actions.
By themselves, these pharming approaches have only academic interest. However, the ubiquity of consumer grade [[wireless router]]s present a massive vulnerability. Administrative access is available wirelessly on most of these devices. Moreover, since these routers often work with their default settings, administrative passwords are commonly unchanged. Even if when altered, many are guessed quickly through [[dictionary attack]]s, since most consumer grade routers don't introduce timing penalties for incorrect login attempts. Once administrative access is granted, all of the router's settings including the firmware itself may be altered. These factors conspire to make drive-by router compromise a clear and present threat. These attacks are difficult to trace because they occur outside the home or small office ''and'' outside the internet.
== How to protect against pharming ==
If you suspect you have encountered pharming of a site(one that still pretends to be the other site), a simple windows hack will help tell.
Click on start > run > type "command" (without the quotes). Once the command prompt opens, type "nslookup", followed by a space, and the IP adress you find questionable.
If the ___domain name that comes up looks correct, then you are probably OK.
For technologically less savvy users, it may be beneficial to instead hand over the task of detecting an attack to somebody else; a recent proposal referred to as active cookies <ref>active-cookies</ref> offers pharming detection in some instances.
== Instances of pharming ==
In [[January 2005]], the ___domain name for a large New York [[Internet service provider|ISP]], [[Panix]], was [[Domain hijacking|hijacked]] to point to a site in [[Australia]]. No financial losses are known.
<!-- This isn't pharming, it's social engineering. Pharming is a purely technological attack caused by compromising the ___domain name system. [[Communications security|Secure]] [[e-mail]] provider [[Hushmail]] was also caught by this attack on 24th of April 2005 when the attacker rang up the ___domain registrar and gained enough information to redirect users to a [[defacement (vandalism)|defaced]] web page. -->
==Controversy over the use of the term==
The term ''pharming'' is controversial within the field. At a conference organized by the [[Anti-Phishing Working Group]], [[Phillip Hallam-Baker]] denounced the term as "a [[marketing]] [[neologism]] designed to convince banks to buy a new set of security services." There are no known instances of pharming causing financial loss.
==See also==
* [[Anti-pharming]]
* [[Phishing]]
* [[DNS cache poisoning]]
* [[Mutual authentication]]
== References ==
#{{note|mal-router}}{{cite news | url=http://www.ravenwhite.com/whitepapers.html
| author = A. Juels and M. Jakobsson and S. Stamm
| title=Active Cookies for Browser Authentication}}
#{{note|active-cookies}}{{cite news | url=http://www.cs.indiana.edu/~atsow/mal-router
| title=Can You Trust a Wireless Router?
| date=February 24, 2006
| publisher=Indiana University Bloomington}}
* {{cite news | url=http://www.windowsitpro.com/Article/ArticleID/46789/46789.html?Ad=1
| title=Security: Phishing and Pharming
| date=June 22, 2005
| publisher=Windows IT Pro Magazine}}
* {{cite news | url=http://www.csoonline.com/talkback/071905.html
| title=How Can We Stop Phishing and Pharming Scams?
| date=July 20, 2005
| publisher=CSO Magazine}}
==External links==
*[http://reviews.zdnet.co.uk/software/internet/0,39024165,39188617,00.htm ZD Net Article "Alarm over "Pharming" Attacks]
*[http://www.wired.com/news/infostructure/0,1377,66853,00.html Wired News: Pharming Out-Scams Phishing]
*[http://www.networkworld.com/columnists/2005/062705edit.html Network World Article on New Anti-Pharming Technology]
*[http://www.eweek.com/article2/0,1759,1791152,00.asp eWeek article on the Hushmail.com DNS pharming attack]
*[http://www.pharming.org pharming.org: Describes current state of the art in solutions to the pharming problem, and also has a list of sites that are and are not Pharming Conscious (PhC)]
*[http://www.csoonline.com/read/100105/pharm.html After Phishing? Pharming!]
[[Category:Malware]]
[[Category:Security exploits]]
[[de:Pharming]]
[[es:Pharming]]
[[gl:Pharming]]
[[it:Pharming]]
[[nl:Pharming (internet)]]
[[ja:ファーミング]]
[[nn:Pharming]]
[[pl:Pharming]]
| 